Set event.module and event.dataset

elastic · Jun 29, 2021 · a14674c · a14674c
1 parent 0e884ba
commit a14674c
Show file tree

Hide file tree

Showing 12 changed files with 62 additions and 20 deletions.
diff --git a/packages/windows/changelog.yml b/packages/windows/changelog.yml
@@ -4,6 +4,9 @@
     - description: make GA
       type: enhancement
       link: https://github.com/elastic/integrations/pull/1214
+    - description: Set "event.module" and "event.dataset"
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1214
 - version: "0.9.2"
   changes:
     - description: Add support for Splunk authorization tokens

diff --git a/packages/windows/data_stream/forwarded/fields/base-fields.yml b/packages/windows/data_stream/forwarded/fields/base-fields.yml
@@ -16,6 +16,14 @@
 - name: dataset.namespace
   type: constant_keyword
   description: Dataset namespace.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: windows
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: windows.forwarded
 - name: '@timestamp'
   type: date
   description: Event timestamp.

diff --git a/packages/windows/data_stream/forwarded/fields/ecs.yml b/packages/windows/data_stream/forwarded/fields/ecs.yml
@@ -63,10 +63,6 @@
       type: keyword
       ignore_above: 1024
       description: 'This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.'
-    - name: module
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the module this data is coming from.'
     - name: outcome
       type: keyword
       ignore_above: 1024

diff --git a/packages/windows/data_stream/perfmon/fields/base-fields.yml b/packages/windows/data_stream/perfmon/fields/base-fields.yml
@@ -7,6 +7,14 @@
 - name: data_stream.namespace
   type: constant_keyword
   description: Data stream namespace.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: windows
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: windows.perfmon
 - name: '@timestamp'
   type: date
   description: Event timestamp.
diff --git a/packages/windows/data_stream/powershell/fields/base-fields.yml b/packages/windows/data_stream/powershell/fields/base-fields.yml
@@ -19,6 +19,14 @@
 - name: '@timestamp'
   type: date
   description: Event timestamp.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: windows
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: windows.powershell
 - name: tags
   description: List of keywords used to tag each event.
   example: '["production", "env2"]'

diff --git a/packages/windows/data_stream/powershell/fields/ecs.yml b/packages/windows/data_stream/powershell/fields/ecs.yml
@@ -28,10 +28,6 @@
       type: keyword
       ignore_above: 1024
       description: 'This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.'
-    - name: module
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the module this data is coming from.'
     - name: outcome
       type: keyword
       ignore_above: 1024

diff --git a/packages/windows/data_stream/powershell_operational/fields/base-fields.yml b/packages/windows/data_stream/powershell_operational/fields/base-fields.yml
@@ -19,6 +19,14 @@
 - name: '@timestamp'
   type: date
   description: Event timestamp.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: windows
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: windows.powershell_operational
 - name: tags
   description: List of keywords used to tag each event.
   example: '["production", "env2"]'

diff --git a/packages/windows/data_stream/powershell_operational/fields/ecs.yml b/packages/windows/data_stream/powershell_operational/fields/ecs.yml
@@ -28,10 +28,6 @@
       type: keyword
       ignore_above: 1024
       description: 'This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.'
-    - name: module
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the module this data is coming from.'
     - name: outcome
       type: keyword
       ignore_above: 1024

diff --git a/packages/windows/data_stream/service/fields/base-fields.yml b/packages/windows/data_stream/service/fields/base-fields.yml
@@ -7,6 +7,14 @@
 - name: data_stream.namespace
   type: constant_keyword
   description: Data stream namespace.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: windows
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: windows.service
 - name: '@timestamp'
   type: date
   description: Event timestamp.
diff --git a/packages/windows/data_stream/sysmon_operational/fields/base-fields.yml b/packages/windows/data_stream/sysmon_operational/fields/base-fields.yml
@@ -16,6 +16,14 @@
 - name: dataset.namespace
   type: constant_keyword
   description: Dataset namespace.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: windows
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: windows.sysmon_operational
 - name: '@timestamp'
   type: date
   description: Event timestamp.

diff --git a/packages/windows/data_stream/sysmon_operational/fields/ecs.yml b/packages/windows/data_stream/sysmon_operational/fields/ecs.yml
@@ -41,10 +41,6 @@
       type: keyword
       ignore_above: 1024
       description: 'This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.'
-    - name: module
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the module this data is coming from.'
     - name: outcome
       type: keyword
       ignore_above: 1024

diff --git a/packages/windows/docs/README.md b/packages/windows/docs/README.md
@@ -42,6 +42,8 @@ The Windows `service` dataset provides service details.
 | data_stream.dataset | Data stream dataset. | constant_keyword |
 | data_stream.namespace | Data stream namespace. | constant_keyword |
 | data_stream.type | Data stream type. | constant_keyword |
+| event.dataset | Event dataset | constant_keyword |
+| event.module | Event module | constant_keyword |
 | host.architecture | Operating system architecture. | keyword |
 | host.containerized | If the host is a container. | boolean |
 | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
@@ -96,6 +98,8 @@ The Windows `perfmon` dataset provides performance counter values.
 | data_stream.dataset | Data stream dataset. | constant_keyword |
 | data_stream.namespace | Data stream namespace. | constant_keyword |
 | data_stream.type | Data stream type. | constant_keyword |
+| event.dataset | Event dataset | constant_keyword |
+| event.module | Event module | constant_keyword |
 | host.architecture | Operating system architecture. | keyword |
 | host.containerized | If the host is a container. | boolean |
 | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
@@ -254,9 +258,10 @@ An example event for `powershell` looks as following:
 | event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. | keyword |
 | event.code | Identification code for this event, if one exists. | keyword |
 | event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. | date |
+| event.dataset | Event dataset | constant_keyword |
 | event.ingested | Timestamp when an event arrived in the central data store. | date |
 | event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. | keyword |
-| event.module | Name of the module this data is coming from. | keyword |
+| event.module | Event module | constant_keyword |
 | event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. | keyword |
 | event.provider | Source of the event. | keyword |
 | event.sequence | Sequence number of the event. | long |
@@ -579,9 +584,10 @@ An example event for `powershell_operational` looks as following:
 | event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. | keyword |
 | event.code | Identification code for this event, if one exists. | keyword |
 | event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. | date |
+| event.dataset | Event dataset | constant_keyword |
 | event.ingested | Timestamp when an event arrived in the central data store. | date |
 | event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. | keyword |
-| event.module | Name of the module this data is coming from. | keyword |
+| event.module | Event module | constant_keyword |
 | event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. | keyword |
 | event.provider | Source of the event. | keyword |
 | event.sequence | Sequence number of the event. | long |
@@ -973,9 +979,10 @@ An example event for `sysmon_operational` looks as following:
 | event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. | keyword |
 | event.code | Identification code for this event, if one exists. | keyword |
 | event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. | date |
+| event.dataset | Event dataset | constant_keyword |
 | event.ingested | Timestamp when an event arrived in the central data store. | date |
 | event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. | keyword |
-| event.module | Name of the module this data is coming from. | keyword |
+| event.module | Event module | constant_keyword |
 | event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. | keyword |
 | event.provider | Source of the event. | keyword |
 | event.sequence | Sequence number of the event. | long |
@@ -1010,7 +1017,7 @@ An example event for `sysmon_operational` looks as following:
 | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
 | host.ip | Host ip addresses. | ip |
 | host.mac | Host mac addresses. | keyword |
-| host.name | Name of the host. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
 | host.os.build | OS build information. | keyword |
 | host.os.codename | OS codename, if any. | keyword |
 | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |