From 024078148c768a3ba561bfca0988a58246da7e0c Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Thu, 10 Dec 2020 13:43:56 -0600 Subject: [PATCH] Stage 3 changes for wildcard RFC 0001 (#1098) # Conflicts: # experimental/schemas/host.yml # generated/csv/fields.csv --- code/go/ecs/event.go | 4 +- docs/field-details.asciidoc | 314 +++++++---- experimental/generated/beats/fields.ecs.yml | 3 +- experimental/generated/ecs/ecs_flat.yml | 205 +++++++- experimental/generated/ecs/ecs_nested.yml | 219 +++++++- experimental/schemas/agent.yml | 5 - experimental/schemas/as.yml | 5 - experimental/schemas/client.yml | 7 - experimental/schemas/destination.yml | 7 - experimental/schemas/dns.yml | 9 - experimental/schemas/error.yml | 9 - experimental/schemas/file.yml | 9 - experimental/schemas/geo.yml | 5 - experimental/schemas/host.yml | 62 ++- experimental/schemas/http.yml | 9 - experimental/schemas/log.yml | 7 - experimental/schemas/organization.yml | 5 - experimental/schemas/os.yml | 7 - experimental/schemas/pe.yml | 5 - experimental/schemas/process.yml | 15 - experimental/schemas/registry.yml | 9 - experimental/schemas/server.yml | 7 - experimental/schemas/source.yml | 7 - experimental/schemas/tls.yml | 11 - experimental/schemas/url.yml | 13 - experimental/schemas/user.yml | 9 - experimental/schemas/user_agent.yml | 5 - experimental/schemas/x509.yml | 7 - generated/beats/fields.ecs.yml | 328 ++++-------- generated/ecs/ecs_flat.yml | 510 ++++++++++-------- generated/ecs/ecs_nested.yml | 545 ++++++++++++-------- generated/elasticsearch/7/template.json | 305 ++++------- schemas/agent.yml | 3 +- schemas/as.yml | 3 +- schemas/client.yml | 6 +- schemas/destination.yml | 6 +- schemas/dns.yml | 6 +- schemas/error.yml | 7 +- schemas/event.yml | 4 +- schemas/file.yml | 9 +- schemas/geo.yml | 3 +- schemas/host.yml | 3 +- schemas/http.yml | 9 +- schemas/log.yml | 6 +- schemas/organization.yml | 3 +- schemas/os.yml | 6 +- schemas/pe.yml | 3 +- schemas/process.yml | 18 +- schemas/registry.yml | 9 +- schemas/server.yml | 6 +- schemas/source.yml | 6 +- schemas/tls.yml | 12 +- schemas/url.yml | 15 +- schemas/user.yml | 9 +- schemas/user_agent.yml | 3 +- schemas/x509.yml | 6 +- use-cases/auditbeat.md | 4 +- use-cases/filebeat-apache-access.md | 4 +- use-cases/kubernetes.md | 2 +- use-cases/metricbeat.md | 2 +- use-cases/web-logs.md | 6 +- 61 files changed, 1654 insertions(+), 1192 deletions(-) delete mode 100644 experimental/schemas/agent.yml delete mode 100644 experimental/schemas/as.yml delete mode 100644 experimental/schemas/client.yml delete mode 100644 experimental/schemas/destination.yml delete mode 100644 experimental/schemas/dns.yml delete mode 100644 experimental/schemas/error.yml delete mode 100644 experimental/schemas/file.yml delete mode 100644 experimental/schemas/geo.yml delete mode 100644 experimental/schemas/http.yml delete mode 100644 experimental/schemas/log.yml delete mode 100644 experimental/schemas/organization.yml delete mode 100644 experimental/schemas/os.yml delete mode 100644 experimental/schemas/pe.yml delete mode 100644 experimental/schemas/process.yml delete mode 100644 experimental/schemas/registry.yml delete mode 100644 experimental/schemas/server.yml delete mode 100644 experimental/schemas/source.yml delete mode 100644 experimental/schemas/tls.yml delete mode 100644 experimental/schemas/url.yml delete mode 100644 experimental/schemas/user.yml delete mode 100644 experimental/schemas/user_agent.yml delete mode 100644 experimental/schemas/x509.yml diff --git a/code/go/ecs/event.go b/code/go/ecs/event.go index affd9c8250..1dfdf696c4 100644 --- a/code/go/ecs/event.go +++ b/code/go/ecs/event.go @@ -132,7 +132,9 @@ type Event struct { // Raw text message of entire event. Used to demonstrate log integrity. // This field is not indexed and doc_values are disabled. It cannot be - // searched, but it can be retrieved from `_source`. + // searched, but it can be retrieved from `_source`. If users wish to + // override this and index this field, consider using the wildcard data + // type. Original string `ecs:"original"` // Hash (perhaps logstash fingerprint) of raw field to be able to diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 7bfc74e85a..90fec37b2b 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -115,11 +115,13 @@ Examples include Beats. Agents may also run on observers. ECS agent.* fields sha [[field-agent-build-original]] <> -| Extended build information for the agent. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +Extended build information for the agent. This field is intended to contain any build information that a data source may provide, no specific formatting is required. -type: keyword +type: wildcard @@ -255,9 +257,11 @@ example: `15169` [[field-as-organization-name]] <> -| Organization name. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +Organization name. + +type: wildcard Multi-fields: @@ -341,9 +345,11 @@ example: `184` [[field-client-domain]] <> -| Client domain. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +Client domain. + +type: wildcard @@ -457,13 +463,15 @@ type: long [[field-client-registered-domain]] <> -| The highest registered client domain, stripped of the subdomain. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: keyword +type: wildcard @@ -1015,9 +1023,11 @@ example: `184` [[field-destination-domain]] <> -| Destination domain. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +Destination domain. + +type: wildcard @@ -1131,13 +1141,15 @@ type: long [[field-destination-registered-domain]] <> -| The highest registered destination domain, stripped of the subdomain. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: keyword +type: wildcard @@ -1378,11 +1390,13 @@ example: `IN` [[field-dns-answers-data]] <> -| The data describing the resource. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +The data describing the resource. The meaning of this data depends on the type and class of the resource record. -type: keyword +type: wildcard @@ -1515,11 +1529,13 @@ example: `IN` [[field-dns-question-name]] <> -| The name being queried. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. -type: keyword +type: wildcard @@ -1762,9 +1778,11 @@ type: text [[field-error-stack-trace]] <> -| The stack trace of this error in plain text. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +The stack trace of this error in plain text. + +type: wildcard Multi-fields: @@ -1784,9 +1802,11 @@ Multi-fields: [[field-error-type]] <> -| The type of the error, for example the class name of the exception. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +The type of the error, for example the class name of the exception. + +type: wildcard @@ -2059,7 +2079,7 @@ example: `apache` | Raw text message of entire event. Used to demonstrate log integrity. -This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. +This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, consider using the wildcard data type. type: keyword @@ -2423,9 +2443,11 @@ example: `sda` [[field-file-directory]] <> -| Directory where the file is located. It should include the drive letter, when appropriate. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +Directory where the file is located. It should include the drive letter, when appropriate. + +type: wildcard @@ -2603,9 +2625,11 @@ example: `alice` [[field-file-path]] <> -| Full path to the file, including the file name. It should include the drive letter, when appropriate. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +Full path to the file, including the file name. It should include the drive letter, when appropriate. + +type: wildcard Multi-fields: @@ -2643,9 +2667,11 @@ example: `16384` [[field-file-target-path]] <> -| Target path for symlinks. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +Target path for symlinks. + +type: wildcard Multi-fields: @@ -2838,13 +2864,15 @@ example: `{ "lon": -73.614830, "lat": 45.505918 }` [[field-geo-name]] <> -| User-defined description of a location, at the level of granularity they care about. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: keyword +type: wildcard @@ -3120,11 +3148,13 @@ example: `CONTOSO` [[field-host-hostname]] <> -| Hostname of the host. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +Hostname of the host. It normally contains what the `hostname` command returns on the host machine. -type: keyword +type: wildcard @@ -3317,9 +3347,11 @@ example: `887` [[field-http-request-body-content]] <> -| The full HTTP request body. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +The full HTTP request body. + +type: wildcard Multi-fields: @@ -3395,9 +3427,11 @@ example: `image/gif` [[field-http-request-referrer]] <> -| Referrer for this HTTP request. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +Referrer for this HTTP request. + +type: wildcard @@ -3427,9 +3461,11 @@ example: `887` [[field-http-response-body-content]] <> -| The full HTTP response body. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +The full HTTP response body. + +type: wildcard Multi-fields: @@ -3609,11 +3645,13 @@ The details specific to your event source are typically not logged under `log.*` [[field-log-file-path]] <> -| Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. -type: keyword +type: wildcard @@ -3647,9 +3685,11 @@ example: `error` [[field-log-logger]] <> -| The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. + +type: wildcard @@ -4443,9 +4483,11 @@ type: keyword [[field-organization-name]] <> -| Organization name. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +Organization name. + +type: wildcard Multi-fields: @@ -4497,9 +4539,11 @@ example: `debian` [[field-os-full]] <> -| Operating system name, including the version or code name. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +Operating system name, including the version or code name. + +type: wildcard Multi-fields: @@ -4535,9 +4579,11 @@ example: `4.4.0-112-generic` [[field-os-name]] <> -| Operating system name, without the version. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +Operating system name, without the version. + +type: wildcard Multi-fields: @@ -4947,9 +4993,11 @@ example: `0c6803c4e922103c4dca5963aad36ddf` [[field-pe-original-file-name]] <> -| Internal name of the file, provided at compile-time. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +Internal name of the file, provided at compile-time. + +type: wildcard @@ -5046,11 +5094,13 @@ example: `4` [[field-process-command-line]] <> -| Full command line that started the process, including the absolute path to the executable, and all arguments. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. -type: keyword +type: wildcard Multi-fields: @@ -5090,9 +5140,11 @@ example: `c2c455d9f99375d` [[field-process-executable]] <> -| Absolute path to the process executable. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +Absolute path to the process executable. + +type: wildcard Multi-fields: @@ -5130,11 +5182,13 @@ example: `137` [[field-process-name]] <> -| Process name. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +Process name. Sometimes called program name or similar. -type: keyword +type: wildcard Multi-fields: @@ -5234,9 +5288,11 @@ example: `4242` [[field-process-thread-name]] <> -| Thread name. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +Thread name. + +type: wildcard @@ -5250,11 +5306,13 @@ example: `thread-0` [[field-process-title]] <> -| Process title. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. -type: keyword +type: wildcard Multi-fields: @@ -5290,9 +5348,11 @@ example: `1325` [[field-process-working-directory]] <> -| The working directory of the process. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +The working directory of the process. + +type: wildcard Multi-fields: @@ -5393,11 +5453,13 @@ example: `ZQBuAC0AVQBTAAAAZQBuAAAAAAA=` [[field-registry-data-strings]] <> -| Content when writing string types. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). -type: keyword +type: wildcard Note: this field should contain an array of values. @@ -5446,9 +5508,11 @@ example: `HKLM` [[field-registry-key]] <> -| Hive-relative path of keys. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +Hive-relative path of keys. + +type: wildcard @@ -5462,9 +5526,11 @@ example: `SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti [[field-registry-path]] <> -| Full path, including hive, key and value +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +Full path, including hive, key and value + +type: wildcard @@ -5827,9 +5893,11 @@ example: `184` [[field-server-domain]] <> -| Server domain. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +Server domain. + +type: wildcard @@ -5943,13 +6011,15 @@ type: long [[field-server-registered-domain]] <> -| The highest registered server domain, stripped of the subdomain. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: keyword +type: wildcard @@ -6238,9 +6308,11 @@ example: `184` [[field-source-domain]] <> -| Source domain. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +Source domain. + +type: wildcard @@ -6354,13 +6426,15 @@ type: long [[field-source-registered-domain]] <> -| The highest registered source domain, stripped of the subdomain. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: keyword +type: wildcard @@ -6779,9 +6853,11 @@ example: `0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0` [[field-tls-client-issuer]] <> -| Distinguished name of subject of the issuer of the x.509 certificate presented by the client. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +Distinguished name of subject of the issuer of the x.509 certificate presented by the client. + +type: wildcard @@ -6859,9 +6935,11 @@ example: `www.elastic.co` [[field-tls-client-subject]] <> -| Distinguished name of subject of the x.509 certificate presented by the client. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +Distinguished name of subject of the x.509 certificate presented by the client. + +type: wildcard @@ -7041,9 +7119,11 @@ example: `0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0` [[field-tls-server-issuer]] <> -| Subject of the issuer of the x.509 certificate presented by the server. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +Subject of the issuer of the x.509 certificate presented by the server. + +type: wildcard @@ -7105,9 +7185,11 @@ example: `1970-01-01T00:00:00.000Z` [[field-tls-server-subject]] <> -| Subject of the x.509 certificate presented by the server. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +Subject of the x.509 certificate presented by the server. + +type: wildcard @@ -7272,13 +7354,15 @@ URL fields provide support for complete or partial URLs, and supports the breaki [[field-url-domain]] <> -| Domain of the url, such as "www.elastic.co". +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. -type: keyword +type: wildcard @@ -7332,9 +7416,11 @@ type: keyword [[field-url-full]] <> -| If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + +type: wildcard Multi-fields: @@ -7354,13 +7440,15 @@ example: `https://www.elastic.co:443/search?q=elasticsearch#top` [[field-url-original]] <> -| Unmodified original url as seen in the event source. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. -type: keyword +type: wildcard Multi-fields: @@ -7396,9 +7484,11 @@ type: keyword [[field-url-path]] <> -| Path of the request, such as "/search". +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +Path of the request, such as "/search". + +type: wildcard @@ -7446,13 +7536,15 @@ type: keyword [[field-url-registered-domain]] <> -| The highest registered url domain, stripped of the subdomain. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: keyword +type: wildcard @@ -7576,9 +7668,11 @@ type: keyword [[field-user-email]] <> -| User email address. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +User email address. + +type: wildcard @@ -7592,9 +7686,11 @@ type: keyword [[field-user-full-name]] <> -| User's full name, if available. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +User's full name, if available. + +type: wildcard Multi-fields: @@ -7648,9 +7744,11 @@ type: keyword [[field-user-name]] <> -| Short name or login of the user. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +Short name or login of the user. + +type: wildcard Multi-fields: @@ -7793,9 +7891,11 @@ example: `Safari` [[field-user-agent-original]] <> -| Unparsed user_agent string. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +Unparsed user_agent string. + +type: wildcard Multi-fields: @@ -8240,9 +8340,11 @@ example: `US` [[field-x509-issuer-distinguished-name]] <> -| Distinguished name (DN) of issuing certificate authority. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +Distinguished name (DN) of issuing certificate authority. + +type: wildcard @@ -8498,9 +8600,11 @@ example: `US` [[field-x509-subject-distinguished-name]] <> -| Distinguished name (DN) of the certificate subject entity. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +Distinguished name (DN) of the certificate subject entity. + +type: wildcard diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 16c38aefca..d68991b2f4 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -1334,7 +1334,8 @@ description: 'Raw text message of entire event. Used to demonstrate log integrity. This field is not indexed and doc_values are disabled. It cannot be searched, - but it can be retrieved from `_source`.' + but it can be retrieved from `_source`. If users wish to override this and + index this field, consider using the wildcard data type.' example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 index: false diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 255173741f..0c6e8374cf 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -18,6 +18,8 @@ short: Date/time when the event originated. type: date agent.build.original: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: agent-build-original description: 'Extended build information for the agent. @@ -128,6 +130,8 @@ client.as.number: short: Unique number allocated to the autonomous system. type: long client.as.organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: client-as-organization-name description: Organization name. example: Google LLC @@ -155,6 +159,8 @@ client.bytes: short: Bytes sent from the client to the server. type: long client.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: client-domain description: Client domain. flat_name: client.domain @@ -223,6 +229,8 @@ client.geo.location: short: Longitude and latitude. type: geo_point client.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: client-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -328,6 +336,8 @@ client.port: short: Port of the client. type: long client.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: client-registered-domain description: 'The highest registered client domain, stripped of the subdomain. @@ -392,6 +402,8 @@ client.user.domain: short: Name of the directory the user is a member of. type: keyword client.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: client-user-email description: User email address. flat_name: client.user.email @@ -402,6 +414,8 @@ client.user.email: short: User email address. type: wildcard client.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: client-user-full-name description: User's full name, if available. example: Albert Einstein @@ -479,6 +493,8 @@ client.user.id: short: Unique identifier of the user. type: keyword client.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: client-user-name description: Short name or login of the user. example: albert @@ -717,6 +733,8 @@ destination.as.number: short: Unique number allocated to the autonomous system. type: long destination.as.organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: destination-as-organization-name description: Organization name. example: Google LLC @@ -744,6 +762,8 @@ destination.bytes: short: Bytes sent from the destination to the source. type: long destination.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: destination-domain description: Destination domain. flat_name: destination.domain @@ -812,6 +832,8 @@ destination.geo.location: short: Longitude and latitude. type: geo_point destination.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: destination-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -916,6 +938,8 @@ destination.port: short: Port of the destination. type: long destination.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: destination-registered-domain description: 'The highest registered destination domain, stripped of the subdomain. @@ -980,6 +1004,8 @@ destination.user.domain: short: Name of the directory the user is a member of. type: keyword destination.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: destination-user-email description: User email address. flat_name: destination.user.email @@ -990,6 +1016,8 @@ destination.user.email: short: User email address. type: wildcard destination.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: destination-user-full-name description: User's full name, if available. example: Albert Einstein @@ -1067,6 +1095,8 @@ destination.user.id: short: Unique identifier of the user. type: keyword destination.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: destination-user-name description: Short name or login of the user. example: albert @@ -1296,6 +1326,8 @@ dll.pe.imphash: short: A hash of the imports in a PE file. type: keyword dll.pe.original_file_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: dll-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE @@ -1349,6 +1381,8 @@ dns.answers.class: short: The class of DNS data contained in this resource record. type: keyword dns.answers.data: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: dns-answers-data description: 'The data describing the resource. @@ -1449,6 +1483,8 @@ dns.question.class: short: The class of records being queried. type: keyword dns.question.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: dns-question-name description: 'The name being queried. @@ -1615,6 +1651,8 @@ error.message: short: Error message. type: text error.stack_trace: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: error-stack-trace description: The stack trace of this error in plain text. flat_name: error.stack_trace @@ -1629,6 +1667,8 @@ error.stack_trace: short: The stack trace of this error in plain text. type: wildcard error.type: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: error-type description: The type of the error, for example the class name of the exception. example: java.lang.NullPointerException @@ -2051,7 +2091,8 @@ event.original: description: 'Raw text message of entire event. Used to demonstrate log integrity. This field is not indexed and doc_values are disabled. It cannot be searched, - but it can be retrieved from `_source`.' + but it can be retrieved from `_source`. If users wish to override this and index + this field, consider using the wildcard data type.' doc_values: false example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 @@ -2514,6 +2555,8 @@ file.device: short: Device that is the source of the file. type: keyword file.directory: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: file-directory description: Directory where the file is located. It should include the drive letter, when appropriate. @@ -2685,6 +2728,8 @@ file.owner: short: File owner's username. type: keyword file.path: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: file-path description: Full path to the file, including the file name. It should include the drive letter, when appropriate. @@ -2765,6 +2810,8 @@ file.pe.imphash: short: A hash of the imports in a PE file. type: keyword file.pe.original_file_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: file-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE @@ -2800,6 +2847,8 @@ file.size: short: File size in bytes. type: long file.target_path: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: file-target-path description: Target path for symlinks. flat_name: file.target_path @@ -2877,6 +2926,8 @@ file.x509.issuer.country: short: List of country (C) codes type: keyword file.x509.issuer.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: file-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance @@ -3066,6 +3117,8 @@ file.x509.subject.country: short: List of country (C) code type: keyword file.x509.subject.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: file-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net @@ -3256,6 +3309,8 @@ host.geo.location: short: Longitude and latitude. type: geo_point host.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: host-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -3297,6 +3352,8 @@ host.geo.region_name: short: Region name. type: keyword host.hostname: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: host-hostname description: 'Hostname of the host. @@ -3368,6 +3425,8 @@ host.os.family: short: OS family (such as redhat, debian, freebsd, windows). type: keyword host.os.full: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: host-os-full description: Operating system name, including the version or code name. example: Mac OS Mojave @@ -3396,6 +3455,8 @@ host.os.kernel: short: Operating system kernel version as a raw string. type: keyword host.os.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: host-os-name description: Operating system name, without the version. example: Mac OS X @@ -3491,6 +3552,8 @@ host.user.domain: short: Name of the directory the user is a member of. type: keyword host.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: host-user-email description: User email address. flat_name: host.user.email @@ -3501,6 +3564,8 @@ host.user.email: short: User email address. type: wildcard host.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: host-user-full-name description: User's full name, if available. example: Albert Einstein @@ -3578,6 +3643,8 @@ host.user.id: short: Unique identifier of the user. type: keyword host.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: host-user-name description: Short name or login of the user. example: albert @@ -3618,6 +3685,8 @@ http.request.body.bytes: short: Size in bytes of the request body. type: long http.request.body.content: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: http-request-body-content description: The full HTTP request body. example: Hello world @@ -3677,6 +3746,8 @@ http.request.mime_type: short: Mime type of the body of the request. type: keyword http.request.referrer: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: http-request-referrer description: Referrer for this HTTP request. example: https://blog.example.com/ @@ -3698,6 +3769,8 @@ http.response.body.bytes: short: Size in bytes of the response body. type: long http.response.body.content: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: http-response-body-content description: The full HTTP response body. example: Hello world @@ -3777,6 +3850,8 @@ labels: short: Custom key/value pairs. type: object log.file.path: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: log-file-path description: 'Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. @@ -3807,6 +3882,8 @@ log.level: short: Log level of the log event. type: keyword log.logger: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: log-logger description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. @@ -4337,6 +4414,8 @@ observer.geo.location: short: Longitude and latitude. type: geo_point observer.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: observer-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -4523,6 +4602,8 @@ observer.os.family: short: OS family (such as redhat, debian, freebsd, windows). type: keyword observer.os.full: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: observer-os-full description: Operating system name, including the version or code name. example: Mac OS Mojave @@ -4551,6 +4632,8 @@ observer.os.kernel: short: Operating system kernel version as a raw string. type: keyword observer.os.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: observer-os-name description: Operating system name, without the version. example: Mac OS X @@ -4676,6 +4759,8 @@ organization.id: short: Unique identifier for the organization. type: keyword organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: organization-name description: Organization name. flat_name: organization.name @@ -4936,6 +5021,8 @@ process.code_signature.valid: content. type: boolean process.command_line: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-command-line description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. @@ -4973,6 +5060,8 @@ process.entity_id: short: Unique identifier for the process. type: keyword process.executable: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-executable description: Absolute path to the process executable. example: /usr/bin/ssh @@ -5045,6 +5134,8 @@ process.hash.sha512: short: SHA512 hash. type: keyword process.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-name description: 'Process name. @@ -5161,6 +5252,8 @@ process.parent.code_signature.valid: content. type: boolean process.parent.command_line: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-parent-command-line description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. @@ -5200,6 +5293,8 @@ process.parent.entity_id: short: Unique identifier for the process. type: keyword process.parent.executable: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-parent-executable description: Absolute path to the process executable. example: /usr/bin/ssh @@ -5274,6 +5369,8 @@ process.parent.hash.sha512: short: SHA512 hash. type: keyword process.parent.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-parent-name description: 'Process name. @@ -5356,6 +5453,8 @@ process.parent.pe.imphash: short: A hash of the imports in a PE file. type: keyword process.parent.pe.original_file_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-parent-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE @@ -5437,6 +5536,8 @@ process.parent.thread.id: short: Thread ID. type: long process.parent.thread.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-parent-thread-name description: Thread name. example: thread-0 @@ -5448,6 +5549,8 @@ process.parent.thread.name: short: Thread name. type: wildcard process.parent.title: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-parent-title description: 'Process title. @@ -5477,6 +5580,8 @@ process.parent.uptime: short: Seconds the process has been up. type: long process.parent.working_directory: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-parent-working-directory description: The working directory of the process. example: /home/alice @@ -5557,6 +5662,8 @@ process.pe.imphash: short: A hash of the imports in a PE file. type: keyword process.pe.original_file_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE @@ -5633,6 +5740,8 @@ process.thread.id: short: Thread ID. type: long process.thread.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-thread-name description: Thread name. example: thread-0 @@ -5643,6 +5752,8 @@ process.thread.name: short: Thread name. type: wildcard process.title: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-title description: 'Process title. @@ -5670,6 +5781,8 @@ process.uptime: short: Seconds the process has been up. type: long process.working_directory: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-working-directory description: The working directory of the process. example: /home/alice @@ -5700,6 +5813,8 @@ registry.data.bytes: short: Original bytes written with base64 encoding. type: keyword registry.data.strings: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: registry-data-strings description: 'Content when writing string types. @@ -5739,6 +5854,8 @@ registry.hive: short: Abbreviated name for the hive. type: keyword registry.key: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: registry-key description: Hive-relative path of keys. example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe @@ -5749,6 +5866,8 @@ registry.key: short: Hive-relative path of keys. type: wildcard registry.path: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: registry-path description: Full path, including hive, key and value example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution @@ -5966,6 +6085,8 @@ server.as.number: short: Unique number allocated to the autonomous system. type: long server.as.organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: server-as-organization-name description: Organization name. example: Google LLC @@ -5993,6 +6114,8 @@ server.bytes: short: Bytes sent from the server to the client. type: long server.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: server-domain description: Server domain. flat_name: server.domain @@ -6061,6 +6184,8 @@ server.geo.location: short: Longitude and latitude. type: geo_point server.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: server-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -6166,6 +6291,8 @@ server.port: short: Port of the server. type: long server.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: server-registered-domain description: 'The highest registered server domain, stripped of the subdomain. @@ -6230,6 +6357,8 @@ server.user.domain: short: Name of the directory the user is a member of. type: keyword server.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: server-user-email description: User email address. flat_name: server.user.email @@ -6240,6 +6369,8 @@ server.user.email: short: User email address. type: wildcard server.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: server-user-full-name description: User's full name, if available. example: Albert Einstein @@ -6317,6 +6448,8 @@ server.user.id: short: Unique identifier of the user. type: keyword server.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: server-user-name description: Short name or login of the user. example: albert @@ -6485,6 +6618,8 @@ source.as.number: short: Unique number allocated to the autonomous system. type: long source.as.organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: source-as-organization-name description: Organization name. example: Google LLC @@ -6512,6 +6647,8 @@ source.bytes: short: Bytes sent from the source to the destination. type: long source.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: source-domain description: Source domain. flat_name: source.domain @@ -6580,6 +6717,8 @@ source.geo.location: short: Longitude and latitude. type: geo_point source.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: source-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -6685,6 +6824,8 @@ source.port: short: Port of the source. type: long source.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: source-registered-domain description: 'The highest registered source domain, stripped of the subdomain. @@ -6749,6 +6890,8 @@ source.user.domain: short: Name of the directory the user is a member of. type: keyword source.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: source-user-email description: User email address. flat_name: source.user.email @@ -6759,6 +6902,8 @@ source.user.email: short: User email address. type: wildcard source.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: source-user-full-name description: User's full name, if available. example: Albert Einstein @@ -6836,6 +6981,8 @@ source.user.id: short: Unique identifier of the user. type: keyword source.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: source-user-name description: Short name or login of the user. example: albert @@ -7114,6 +7261,8 @@ tls.client.hash.sha256: certificate offered by the client. type: keyword tls.client.issuer: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: tls-client-issuer description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. @@ -7172,6 +7321,8 @@ tls.client.server_name: short: Hostname the client is trying to connect to. Also called the SNI. type: keyword tls.client.subject: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: tls-client-subject description: Distinguished name of subject of the x.509 certificate presented by the client. @@ -7237,6 +7388,8 @@ tls.client.x509.issuer.country: short: List of country (C) codes type: keyword tls.client.x509.issuer.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: tls-client-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance @@ -7426,6 +7579,8 @@ tls.client.x509.subject.country: short: List of country (C) code type: keyword tls.client.x509.subject.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: tls-client-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net @@ -7616,6 +7771,8 @@ tls.server.hash.sha256: certificate offered by the server. type: keyword tls.server.issuer: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: tls-server-issuer description: Subject of the issuer of the x.509 certificate presented by the server. example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com @@ -7659,6 +7816,8 @@ tls.server.not_before: short: Timestamp indicating when server certificate is first considered valid. type: date tls.server.subject: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: tls-server-subject description: Subject of the x.509 certificate presented by the server. example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com @@ -7710,6 +7869,8 @@ tls.server.x509.issuer.country: short: List of country (C) codes type: keyword tls.server.x509.issuer.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: tls-server-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance @@ -7899,6 +8060,8 @@ tls.server.x509.subject.country: short: List of country (C) code type: keyword tls.server.x509.subject.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: tls-server-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net @@ -8023,6 +8186,8 @@ transaction.id: short: Unique identifier of the transaction within the scope of its trace. type: keyword url.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: url-domain description: 'Domain of the url, such as "www.elastic.co". @@ -8071,6 +8236,8 @@ url.fragment: short: Portion of the url after the `#`. type: keyword url.full: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: url-full description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. @@ -8087,6 +8254,8 @@ url.full: short: Full unparsed URL. type: wildcard url.original: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: url-original description: 'Unmodified original url as seen in the event source. @@ -8117,6 +8286,8 @@ url.password: short: Password of the request. type: keyword url.path: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: url-path description: Path of the request, such as "/search". flat_name: url.path @@ -8153,6 +8324,8 @@ url.query: short: Query string of the request. type: keyword url.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: url-registered-domain description: 'The highest registered url domain, stripped of the subdomain. @@ -8240,6 +8413,8 @@ user.changes.domain: short: Name of the directory the user is a member of. type: keyword user.changes.email: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-changes-email description: User email address. flat_name: user.changes.email @@ -8250,6 +8425,8 @@ user.changes.email: short: User email address. type: wildcard user.changes.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-changes-full-name description: User's full name, if available. example: Albert Einstein @@ -8327,6 +8504,8 @@ user.changes.id: short: Unique identifier of the user. type: keyword user.changes.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-changes-name description: Short name or login of the user. example: albert @@ -8381,6 +8560,8 @@ user.effective.domain: short: Name of the directory the user is a member of. type: keyword user.effective.email: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-effective-email description: User email address. flat_name: user.effective.email @@ -8391,6 +8572,8 @@ user.effective.email: short: User email address. type: wildcard user.effective.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-effective-full-name description: User's full name, if available. example: Albert Einstein @@ -8468,6 +8651,8 @@ user.effective.id: short: Unique identifier of the user. type: keyword user.effective.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-effective-name description: Short name or login of the user. example: albert @@ -8497,6 +8682,8 @@ user.effective.roles: short: Array of user roles at the time of the event. type: keyword user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-email description: User email address. flat_name: user.email @@ -8506,6 +8693,8 @@ user.email: short: User email address. type: wildcard user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-full-name description: User's full name, if available. example: Albert Einstein @@ -8580,6 +8769,8 @@ user.id: short: Unique identifier of the user. type: keyword user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-name description: Short name or login of the user. example: albert @@ -8620,6 +8811,8 @@ user.target.domain: short: Name of the directory the user is a member of. type: keyword user.target.email: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-target-email description: User email address. flat_name: user.target.email @@ -8630,6 +8823,8 @@ user.target.email: short: User email address. type: wildcard user.target.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-target-full-name description: User's full name, if available. example: Albert Einstein @@ -8707,6 +8902,8 @@ user.target.id: short: Unique identifier of the user. type: keyword user.target.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-target-name description: Short name or login of the user. example: albert @@ -8758,6 +8955,8 @@ user_agent.name: short: Name of the user agent. type: keyword user_agent.original: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-agent-original description: Unparsed user_agent string. example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 @@ -8786,6 +8985,8 @@ user_agent.os.family: short: OS family (such as redhat, debian, freebsd, windows). type: keyword user_agent.os.full: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-agent-os-full description: Operating system name, including the version or code name. example: Mac OS Mojave @@ -8814,6 +9015,8 @@ user_agent.os.kernel: short: Operating system kernel version as a raw string. type: keyword user_agent.os.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-agent-os-name description: Operating system name, without the version. example: Mac OS X diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 5072c1b3de..50c4915485 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -8,6 +8,8 @@ agent: event happened or the measurement was taken.' fields: agent.build.original: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: agent-build-original description: 'Extended build information for the agent. @@ -118,6 +120,8 @@ as: short: Unique number allocated to the autonomous system. type: long as.organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: as-organization-name description: Organization name. example: Google LLC @@ -273,6 +277,8 @@ client: short: Unique number allocated to the autonomous system. type: long client.as.organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: client-as-organization-name description: Organization name. example: Google LLC @@ -300,6 +306,8 @@ client: short: Bytes sent from the client to the server. type: long client.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: client-domain description: Client domain. flat_name: client.domain @@ -368,6 +376,8 @@ client: short: Longitude and latitude. type: geo_point client.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: client-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -473,6 +483,8 @@ client: short: Port of the client. type: long client.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: client-registered-domain description: 'The highest registered client domain, stripped of the subdomain. @@ -537,6 +549,8 @@ client: short: Name of the directory the user is a member of. type: keyword client.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: client-user-email description: User email address. flat_name: client.user.email @@ -547,6 +561,8 @@ client: short: User email address. type: wildcard client.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: client-user-full-name description: User's full name, if available. example: Albert Einstein @@ -624,6 +640,8 @@ client: short: Unique identifier of the user. type: keyword client.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: client-user-name description: Short name or login of the user. example: albert @@ -1004,6 +1022,8 @@ destination: short: Unique number allocated to the autonomous system. type: long destination.as.organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: destination-as-organization-name description: Organization name. example: Google LLC @@ -1031,6 +1051,8 @@ destination: short: Bytes sent from the destination to the source. type: long destination.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: destination-domain description: Destination domain. flat_name: destination.domain @@ -1099,6 +1121,8 @@ destination: short: Longitude and latitude. type: geo_point destination.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: destination-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -1203,6 +1227,8 @@ destination: short: Port of the destination. type: long destination.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: destination-registered-domain description: 'The highest registered destination domain, stripped of the subdomain. @@ -1267,6 +1293,8 @@ destination: short: Name of the directory the user is a member of. type: keyword destination.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: destination-user-email description: User email address. flat_name: destination.user.email @@ -1277,6 +1305,8 @@ destination: short: User email address. type: wildcard destination.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: destination-user-full-name description: User's full name, if available. example: Albert Einstein @@ -1354,6 +1384,8 @@ destination: short: Unique identifier of the user. type: keyword destination.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: destination-user-name description: Short name or login of the user. example: albert @@ -1617,6 +1649,8 @@ dll: short: A hash of the imports in a PE file. type: keyword dll.pe.original_file_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: dll-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE @@ -1698,6 +1732,8 @@ dns: short: The class of DNS data contained in this resource record. type: keyword dns.answers.data: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: dns-answers-data description: 'The data describing the resource. @@ -1800,6 +1836,8 @@ dns: short: The class of records being queried. type: keyword dns.question.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: dns-question-name description: 'The name being queried. @@ -1987,6 +2025,8 @@ error: short: Error message. type: text error.stack_trace: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: error-stack-trace description: The stack trace of this error in plain text. flat_name: error.stack_trace @@ -2001,6 +2041,8 @@ error: short: The stack trace of this error in plain text. type: wildcard error.type: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: error-type description: The type of the error, for example the class name of the exception. example: java.lang.NullPointerException @@ -2449,7 +2491,8 @@ event: description: 'Raw text message of entire event. Used to demonstrate log integrity. This field is not indexed and doc_values are disabled. It cannot be searched, - but it can be retrieved from `_source`.' + but it can be retrieved from `_source`. If users wish to override this and + index this field, consider using the wildcard data type.' doc_values: false example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 @@ -2937,6 +2980,8 @@ file: short: Device that is the source of the file. type: keyword file.directory: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: file-directory description: Directory where the file is located. It should include the drive letter, when appropriate. @@ -3108,6 +3153,8 @@ file: short: File owner's username. type: keyword file.path: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: file-path description: Full path to the file, including the file name. It should include the drive letter, when appropriate. @@ -3188,6 +3235,8 @@ file: short: A hash of the imports in a PE file. type: keyword file.pe.original_file_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: file-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE @@ -3223,6 +3272,8 @@ file: short: File size in bytes. type: long file.target_path: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: file-target-path description: Target path for symlinks. flat_name: file.target_path @@ -3300,6 +3351,8 @@ file: short: List of country (C) codes type: keyword file.x509.issuer.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: file-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance @@ -3489,6 +3542,8 @@ file: short: List of country (C) code type: keyword file.x509.subject.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: file-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net @@ -3648,6 +3703,8 @@ geo: short: Longitude and latitude. type: geo_point geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -3918,6 +3975,8 @@ host: short: Longitude and latitude. type: geo_point host.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: host-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -3959,6 +4018,8 @@ host: short: Region name. type: keyword host.hostname: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: host-hostname description: 'Hostname of the host. @@ -4031,6 +4092,8 @@ host: short: OS family (such as redhat, debian, freebsd, windows). type: keyword host.os.full: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: host-os-full description: Operating system name, including the version or code name. example: Mac OS Mojave @@ -4059,6 +4122,8 @@ host: short: Operating system kernel version as a raw string. type: keyword host.os.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: host-os-name description: Operating system name, without the version. example: Mac OS X @@ -4156,6 +4221,8 @@ host: short: Name of the directory the user is a member of. type: keyword host.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: host-user-email description: User email address. flat_name: host.user.email @@ -4166,6 +4233,8 @@ host: short: User email address. type: wildcard host.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: host-user-full-name description: User's full name, if available. example: Albert Einstein @@ -4243,6 +4312,8 @@ host: short: Unique identifier of the user. type: keyword host.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: host-user-name description: Short name or login of the user. example: albert @@ -4307,6 +4378,8 @@ http: short: Size in bytes of the request body. type: long http.request.body.content: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: http-request-body-content description: The full HTTP request body. example: Hello world @@ -4368,6 +4441,8 @@ http: short: Mime type of the body of the request. type: keyword http.request.referrer: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: http-request-referrer description: Referrer for this HTTP request. example: https://blog.example.com/ @@ -4389,6 +4464,8 @@ http: short: Size in bytes of the response body. type: long http.response.body.content: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: http-response-body-content description: The full HTTP response body. example: Hello world @@ -4526,6 +4603,8 @@ log: but rather in `event.*` or in other ECS fields.' fields: log.file.path: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: log-file-path description: 'Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. @@ -4556,6 +4635,8 @@ log: short: Log level of the log event. type: keyword log.logger: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: log-logger description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. @@ -5117,6 +5198,8 @@ observer: short: Longitude and latitude. type: geo_point observer.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: observer-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -5304,6 +5387,8 @@ observer: short: OS family (such as redhat, debian, freebsd, windows). type: keyword observer.os.full: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: observer-os-full description: Operating system name, including the version or code name. example: Mac OS Mojave @@ -5332,6 +5417,8 @@ observer: short: Operating system kernel version as a raw string. type: keyword observer.os.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: observer-os-name description: Operating system name, without the version. example: Mac OS X @@ -5497,6 +5584,8 @@ organization: short: Unique identifier for the organization. type: keyword organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: organization-name description: Organization name. flat_name: organization.name @@ -5531,6 +5620,8 @@ os: short: OS family (such as redhat, debian, freebsd, windows). type: keyword os.full: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: os-full description: Operating system name, including the version or code name. example: Mac OS Mojave @@ -5557,6 +5648,8 @@ os: short: Operating system kernel version as a raw string. type: keyword os.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: os-name description: Operating system name, without the version. example: Mac OS X @@ -5856,6 +5949,8 @@ pe: short: A hash of the imports in a PE file. type: keyword pe.original_file_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE @@ -5999,6 +6094,8 @@ process: content. type: boolean process.command_line: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-command-line description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. @@ -6036,6 +6133,8 @@ process: short: Unique identifier for the process. type: keyword process.executable: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-executable description: Absolute path to the process executable. example: /usr/bin/ssh @@ -6108,6 +6207,8 @@ process: short: SHA512 hash. type: keyword process.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-name description: 'Process name. @@ -6224,6 +6325,8 @@ process: content. type: boolean process.parent.command_line: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-parent-command-line description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. @@ -6263,6 +6366,8 @@ process: short: Unique identifier for the process. type: keyword process.parent.executable: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-parent-executable description: Absolute path to the process executable. example: /usr/bin/ssh @@ -6337,6 +6442,8 @@ process: short: SHA512 hash. type: keyword process.parent.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-parent-name description: 'Process name. @@ -6419,6 +6526,8 @@ process: short: A hash of the imports in a PE file. type: keyword process.parent.pe.original_file_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-parent-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE @@ -6500,6 +6609,8 @@ process: short: Thread ID. type: long process.parent.thread.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-parent-thread-name description: Thread name. example: thread-0 @@ -6511,6 +6622,8 @@ process: short: Thread name. type: wildcard process.parent.title: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-parent-title description: 'Process title. @@ -6540,6 +6653,8 @@ process: short: Seconds the process has been up. type: long process.parent.working_directory: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-parent-working-directory description: The working directory of the process. example: /home/alice @@ -6620,6 +6735,8 @@ process: short: A hash of the imports in a PE file. type: keyword process.pe.original_file_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE @@ -6696,6 +6813,8 @@ process: short: Thread ID. type: long process.thread.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-thread-name description: Thread name. example: thread-0 @@ -6706,6 +6825,8 @@ process: short: Thread name. type: wildcard process.title: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-title description: 'Process title. @@ -6733,6 +6854,8 @@ process: short: Seconds the process has been up. type: long process.working_directory: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-working-directory description: The working directory of the process. example: /home/alice @@ -6796,6 +6919,8 @@ registry: short: Original bytes written with base64 encoding. type: keyword registry.data.strings: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: registry-data-strings description: 'Content when writing string types. @@ -6835,6 +6960,8 @@ registry: short: Abbreviated name for the hive. type: keyword registry.key: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: registry-key description: Hive-relative path of keys. example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe @@ -6845,6 +6972,8 @@ registry: short: Hive-relative path of keys. type: wildcard registry.path: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: registry-path description: Full path, including hive, key and value example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution @@ -7119,6 +7248,8 @@ server: short: Unique number allocated to the autonomous system. type: long server.as.organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: server-as-organization-name description: Organization name. example: Google LLC @@ -7146,6 +7277,8 @@ server: short: Bytes sent from the server to the client. type: long server.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: server-domain description: Server domain. flat_name: server.domain @@ -7214,6 +7347,8 @@ server: short: Longitude and latitude. type: geo_point server.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: server-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -7319,6 +7454,8 @@ server: short: Port of the server. type: long server.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: server-registered-domain description: 'The highest registered server domain, stripped of the subdomain. @@ -7383,6 +7520,8 @@ server: short: Name of the directory the user is a member of. type: keyword server.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: server-user-email description: User email address. flat_name: server.user.email @@ -7393,6 +7532,8 @@ server: short: User email address. type: wildcard server.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: server-user-full-name description: User's full name, if available. example: Albert Einstein @@ -7470,6 +7611,8 @@ server: short: Unique identifier of the user. type: keyword server.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: server-user-name description: Short name or login of the user. example: albert @@ -7682,6 +7825,8 @@ source: short: Unique number allocated to the autonomous system. type: long source.as.organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: source-as-organization-name description: Organization name. example: Google LLC @@ -7709,6 +7854,8 @@ source: short: Bytes sent from the source to the destination. type: long source.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: source-domain description: Source domain. flat_name: source.domain @@ -7777,6 +7924,8 @@ source: short: Longitude and latitude. type: geo_point source.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: source-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -7882,6 +8031,8 @@ source: short: Port of the source. type: long source.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: source-registered-domain description: 'The highest registered source domain, stripped of the subdomain. @@ -7946,6 +8097,8 @@ source: short: Name of the directory the user is a member of. type: keyword source.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: source-user-email description: User email address. flat_name: source.user.email @@ -7956,6 +8109,8 @@ source: short: User email address. type: wildcard source.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: source-user-full-name description: User's full name, if available. example: Albert Einstein @@ -8033,6 +8188,8 @@ source: short: Unique identifier of the user. type: keyword source.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: source-user-name description: Short name or login of the user. example: albert @@ -8325,6 +8482,8 @@ tls: of certificate offered by the client. type: keyword tls.client.issuer: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: tls-client-issuer description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. @@ -8385,6 +8544,8 @@ tls: short: Hostname the client is trying to connect to. Also called the SNI. type: keyword tls.client.subject: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: tls-client-subject description: Distinguished name of subject of the x.509 certificate presented by the client. @@ -8451,6 +8612,8 @@ tls: short: List of country (C) codes type: keyword tls.client.x509.issuer.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: tls-client-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance @@ -8640,6 +8803,8 @@ tls: short: List of country (C) code type: keyword tls.client.x509.subject.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: tls-client-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net @@ -8830,6 +8995,8 @@ tls: of certificate offered by the server. type: keyword tls.server.issuer: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: tls-server-issuer description: Subject of the issuer of the x.509 certificate presented by the server. @@ -8876,6 +9043,8 @@ tls: short: Timestamp indicating when server certificate is first considered valid. type: date tls.server.subject: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: tls-server-subject description: Subject of the x.509 certificate presented by the server. example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com @@ -8927,6 +9096,8 @@ tls: short: List of country (C) codes type: keyword tls.server.x509.issuer.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: tls-server-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance @@ -9116,6 +9287,8 @@ tls: short: List of country (C) code type: keyword tls.server.x509.subject.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: tls-server-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net @@ -9291,6 +9464,8 @@ url: the breaking down into scheme, domain, path, and so on. fields: url.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: url-domain description: 'Domain of the url, such as "www.elastic.co". @@ -9340,6 +9515,8 @@ url: short: Portion of the url after the `#`. type: keyword url.full: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: url-full description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event @@ -9357,6 +9534,8 @@ url: short: Full unparsed URL. type: wildcard url.original: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: url-original description: 'Unmodified original url as seen in the event source. @@ -9387,6 +9566,8 @@ url: short: Password of the request. type: keyword url.path: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: url-path description: Path of the request, such as "/search". flat_name: url.path @@ -9423,6 +9604,8 @@ url: short: Query string of the request. type: keyword url.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: url-registered-domain description: 'The highest registered url domain, stripped of the subdomain. @@ -9523,6 +9706,8 @@ user: short: Name of the directory the user is a member of. type: keyword user.changes.email: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-changes-email description: User email address. flat_name: user.changes.email @@ -9533,6 +9718,8 @@ user: short: User email address. type: wildcard user.changes.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-changes-full-name description: User's full name, if available. example: Albert Einstein @@ -9610,6 +9797,8 @@ user: short: Unique identifier of the user. type: keyword user.changes.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-changes-name description: Short name or login of the user. example: albert @@ -9664,6 +9853,8 @@ user: short: Name of the directory the user is a member of. type: keyword user.effective.email: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-effective-email description: User email address. flat_name: user.effective.email @@ -9674,6 +9865,8 @@ user: short: User email address. type: wildcard user.effective.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-effective-full-name description: User's full name, if available. example: Albert Einstein @@ -9751,6 +9944,8 @@ user: short: Unique identifier of the user. type: keyword user.effective.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-effective-name description: Short name or login of the user. example: albert @@ -9780,6 +9975,8 @@ user: short: Array of user roles at the time of the event. type: keyword user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-email description: User email address. flat_name: user.email @@ -9789,6 +9986,8 @@ user: short: User email address. type: wildcard user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-full-name description: User's full name, if available. example: Albert Einstein @@ -9863,6 +10062,8 @@ user: short: Unique identifier of the user. type: keyword user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-name description: Short name or login of the user. example: albert @@ -9903,6 +10104,8 @@ user: short: Name of the directory the user is a member of. type: keyword user.target.email: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-target-email description: User email address. flat_name: user.target.email @@ -9913,6 +10116,8 @@ user: short: User email address. type: wildcard user.target.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-target-full-name description: User's full name, if available. example: Albert Einstein @@ -9990,6 +10195,8 @@ user: short: Unique identifier of the user. type: keyword user.target.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-target-name description: Short name or login of the user. example: albert @@ -10103,6 +10310,8 @@ user_agent: short: Name of the user agent. type: keyword user_agent.original: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-agent-original description: Unparsed user_agent string. example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 @@ -10131,6 +10340,8 @@ user_agent: short: OS family (such as redhat, debian, freebsd, windows). type: keyword user_agent.os.full: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-agent-os-full description: Operating system name, including the version or code name. example: Mac OS Mojave @@ -10159,6 +10370,8 @@ user_agent: short: Operating system kernel version as a raw string. type: keyword user_agent.os.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-agent-os-name description: Operating system name, without the version. example: Mac OS X @@ -10539,6 +10752,8 @@ x509: short: List of country (C) codes type: keyword x509.issuer.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance @@ -10713,6 +10928,8 @@ x509: short: List of country (C) code type: keyword x509.subject.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net diff --git a/experimental/schemas/agent.yml b/experimental/schemas/agent.yml deleted file mode 100644 index d09e77111d..0000000000 --- a/experimental/schemas/agent.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: agent - fields: - - name: build.original - type: wildcard diff --git a/experimental/schemas/as.yml b/experimental/schemas/as.yml deleted file mode 100644 index 96cf45621c..0000000000 --- a/experimental/schemas/as.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: as - fields: - - name: organization.name - type: wildcard diff --git a/experimental/schemas/client.yml b/experimental/schemas/client.yml deleted file mode 100644 index 14ed3a9a37..0000000000 --- a/experimental/schemas/client.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - - name: client - fields: - - name: domain - type: wildcard - - name: registered_domain - type: wildcard diff --git a/experimental/schemas/destination.yml b/experimental/schemas/destination.yml deleted file mode 100644 index d64a84c6be..0000000000 --- a/experimental/schemas/destination.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - - name: destination - fields: - - name: domain - type: wildcard - - name: registered_domain - type: wildcard diff --git a/experimental/schemas/dns.yml b/experimental/schemas/dns.yml deleted file mode 100644 index 466859c09f..0000000000 --- a/experimental/schemas/dns.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- name: dns - fields: - - name: question.name - type: wildcard - - name: answers - type: object - - name: answers.data - type: wildcard diff --git a/experimental/schemas/error.yml b/experimental/schemas/error.yml deleted file mode 100644 index f2004d3fe0..0000000000 --- a/experimental/schemas/error.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- name: error - fields: - - name: stack_trace - index: true - type: wildcard - - - name: type - type: wildcard diff --git a/experimental/schemas/file.yml b/experimental/schemas/file.yml deleted file mode 100644 index f4938d38be..0000000000 --- a/experimental/schemas/file.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- name: file - fields: - - name: directory - type: wildcard - - name: path - type: wildcard - - name: target_path - type: wildcard diff --git a/experimental/schemas/geo.yml b/experimental/schemas/geo.yml deleted file mode 100644 index d3445a5a2b..0000000000 --- a/experimental/schemas/geo.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - - name: geo - fields: - - name: name - type: wildcard diff --git a/experimental/schemas/host.yml b/experimental/schemas/host.yml index 91f3d1bbc2..eabc2f9af8 100644 --- a/experimental/schemas/host.yml +++ b/experimental/schemas/host.yml @@ -1,4 +1,62 @@ - name: host fields: - - name: hostname - type: wildcard + # RFC 0005 + - name: cpu.usage + type: scaled_float + scaling_factor: 1000 + level: extended + short: Percent CPU used, between 0 and 1. + description: > + Percent CPU used which is normalized by the number of CPU cores and it + ranges from 0 to 1. Scaling factor: 1000. + + For example: For a two core host, this value should be the average of the + two cores, between 0 and 1. + + - name: network.ingress.bytes + type: long + level: extended + short: The number of bytes received on all network interfaces. + description: > + The number of bytes received (gauge) on all network interfaces by the + host since the last metric collection. + + - name: network.ingress.packets + type: long + level: extended + short: The number of packets received on all network interfaces. + description: > + The number of packets (gauge) received on all network interfaces by the + host since the last metric collection. + + - name: network.egress.bytes + type: long + level: extended + short: The number of bytes sent on all network interfaces. + description: > + The number of bytes (gauge) sent out on all network interfaces by the + host since the last metric collection. + + - name: network.egress.packets + type: long + level: extended + short: The number of packets sent on all network interfaces. + description: > + The number of packets (gauge) sent out on all network interfaces by the + host since the last metric collection. + + - name: disk.read.bytes + type: long + level: extended + short: The number of bytes read by all disks. + description: > + The total number of bytes (gauge) read successfully (aggregated from all + disks) since the last metric collection. + + - name: disk.write.bytes + type: long + level: extended + short: The number of bytes written on all disks. + description: > + The total number of bytes (gauge) written successfully (aggregated from + all disks) since the last metric collection. diff --git a/experimental/schemas/http.yml b/experimental/schemas/http.yml deleted file mode 100644 index 1722cdc5e7..0000000000 --- a/experimental/schemas/http.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- name: http - fields: - - name: request.body.content - type: wildcard - - name: request.referrer - type: wildcard - - name: response.body.content - type: wildcard diff --git a/experimental/schemas/log.yml b/experimental/schemas/log.yml deleted file mode 100644 index 8a2f2dd397..0000000000 --- a/experimental/schemas/log.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- name: log - fields: - - name: file.path - type: wildcard - - name: logger - type: wildcard diff --git a/experimental/schemas/organization.yml b/experimental/schemas/organization.yml deleted file mode 100644 index 594581413b..0000000000 --- a/experimental/schemas/organization.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: organization - fields: - - name: name - type: wildcard diff --git a/experimental/schemas/os.yml b/experimental/schemas/os.yml deleted file mode 100644 index ec9d71a79c..0000000000 --- a/experimental/schemas/os.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- name: os - fields: - - name: name - type: wildcard - - name: full - type: wildcard diff --git a/experimental/schemas/pe.yml b/experimental/schemas/pe.yml deleted file mode 100644 index 77a0574348..0000000000 --- a/experimental/schemas/pe.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: pe - fields: - - name: original_file_name - type: wildcard diff --git a/experimental/schemas/process.yml b/experimental/schemas/process.yml deleted file mode 100644 index e759e97e86..0000000000 --- a/experimental/schemas/process.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -- name: process - fields: - - name: command_line - type: wildcard - - name: executable - type: wildcard - - name: name - type: wildcard - - name: thread.name - type: wildcard - - name: title - type: wildcard - - name: working_directory - type: wildcard diff --git a/experimental/schemas/registry.yml b/experimental/schemas/registry.yml deleted file mode 100644 index 66f6f6b22c..0000000000 --- a/experimental/schemas/registry.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- name: registry - fields: - - name: key - type: wildcard - - name: path - type: wildcard - - name: data.strings - type: wildcard diff --git a/experimental/schemas/server.yml b/experimental/schemas/server.yml deleted file mode 100644 index 70c285f374..0000000000 --- a/experimental/schemas/server.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - - name: server - fields: - - name: domain - type: wildcard - - name: registered_domain - type: wildcard diff --git a/experimental/schemas/source.yml b/experimental/schemas/source.yml deleted file mode 100644 index d810a6cb79..0000000000 --- a/experimental/schemas/source.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- name: source - fields: - - name: domain - type: wildcard - - name: registered_domain - type: wildcard diff --git a/experimental/schemas/tls.yml b/experimental/schemas/tls.yml deleted file mode 100644 index 4f5378a313..0000000000 --- a/experimental/schemas/tls.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -- name: tls - fields: - - name: client.issuer - type: wildcard - - name: client.subject - type: wildcard - - name: server.issuer - type: wildcard - - name: server.subject - type: wildcard diff --git a/experimental/schemas/url.yml b/experimental/schemas/url.yml deleted file mode 100644 index 0d5f66c36a..0000000000 --- a/experimental/schemas/url.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -- name: url - fields: - - name: original - type: wildcard - - name: full - type: wildcard - - name: path - type: wildcard - - name: domain - type: wildcard - - name: registered_domain - type: wildcard diff --git a/experimental/schemas/user.yml b/experimental/schemas/user.yml deleted file mode 100644 index 89e182fbee..0000000000 --- a/experimental/schemas/user.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- name: user - fields: - - name: name - type: wildcard - - name: full_name - type: wildcard - - name: email - type: wildcard diff --git a/experimental/schemas/user_agent.yml b/experimental/schemas/user_agent.yml deleted file mode 100644 index c413a9d702..0000000000 --- a/experimental/schemas/user_agent.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: user_agent - fields: - - name: original - type: wildcard diff --git a/experimental/schemas/x509.yml b/experimental/schemas/x509.yml deleted file mode 100644 index d1c7d8af6b..0000000000 --- a/experimental/schemas/x509.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- name: x509 - fields: - - name: issuer.distinguished_name - type: wildcard - - name: subject.distinguished_name - type: wildcard diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 1caa603979..d7bb24c1bd 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -66,8 +66,7 @@ fields: - name: build.original level: core - type: keyword - ignore_above: 1024 + type: wildcard description: 'Extended build information for the agent. This field is intended to contain any build information that a data source @@ -136,8 +135,7 @@ example: 15169 - name: organization.name level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -183,8 +181,7 @@ example: 15169 - name: as.organization.name level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -200,8 +197,7 @@ example: 184 - name: domain level: core - type: keyword - ignore_above: 1024 + type: wildcard description: Client domain. - name: geo.city_name level: core @@ -234,8 +230,7 @@ example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: geo.name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: 'User-defined description of a location, at the level of granularity they care about. @@ -292,8 +287,7 @@ description: Port of the client. - name: registered_domain level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: 'The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". @@ -337,13 +331,11 @@ For example, an LDAP or Active Directory domain name.' - name: user.email level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: User email address. - name: user.full_name level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -384,8 +376,7 @@ description: Unique identifier of the user. - name: user.name level: core - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -605,8 +596,7 @@ example: 15169 - name: as.organization.name level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -622,8 +612,7 @@ example: 184 - name: domain level: core - type: keyword - ignore_above: 1024 + type: wildcard description: Destination domain. - name: geo.city_name level: core @@ -656,8 +645,7 @@ example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: geo.name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: 'User-defined description of a location, at the level of granularity they care about. @@ -713,8 +701,7 @@ description: Port of the destination. - name: registered_domain level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: 'The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". @@ -758,13 +745,11 @@ For example, an LDAP or Active Directory domain name.' - name: user.email level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: User email address. - name: user.full_name level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -805,8 +790,7 @@ description: Unique identifier of the user. - name: user.name level: core - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -961,8 +945,7 @@ default_field: false - name: pe.original_file_name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false @@ -1005,8 +988,7 @@ example: IN - name: answers.data level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: 'The data describing the resource. The meaning of this data depends on the type and class of the resource record.' @@ -1065,8 +1047,7 @@ example: IN - name: question.name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: 'The name being queried. If the name field contains non-printable characters (below 32 or above 126), @@ -1185,19 +1166,16 @@ description: Error message. - name: stack_trace level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text norms: false default_field: false description: The stack trace of this error in plain text. - index: false - name: type level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: The type of the error, for example the class name of the exception. example: java.lang.NullPointerException - name: event @@ -1356,7 +1334,8 @@ description: 'Raw text message of entire event. Used to demonstrate log integrity. This field is not indexed and doc_values are disabled. It cannot be searched, - but it can be retrieved from `_source`.' + but it can be retrieved from `_source`. If users wish to override this and + index this field, consider using the wildcard data type.' example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 index: false @@ -1585,8 +1564,7 @@ example: sda - name: directory level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Directory where the file is located. It should include the drive letter, when appropriate. example: /home/alice @@ -1680,8 +1658,7 @@ example: alice - name: path level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -1731,8 +1708,7 @@ default_field: false - name: pe.original_file_name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false @@ -1752,8 +1728,7 @@ example: 16384 - name: target_path level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -1797,8 +1772,7 @@ default_field: false - name: x509.issuer.distinguished_name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA @@ -1904,8 +1878,7 @@ default_field: false - name: x509.subject.distinguished_name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net default_field: false @@ -1984,8 +1957,7 @@ example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: 'User-defined description of a location, at the level of granularity they care about. @@ -2118,8 +2090,7 @@ example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: geo.name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: 'User-defined description of a location, at the level of granularity they care about. @@ -2142,8 +2113,7 @@ example: Quebec - name: hostname level: core - type: keyword - ignore_above: 1024 + type: wildcard description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' @@ -2182,8 +2152,7 @@ example: debian - name: os.full level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -2199,8 +2168,7 @@ example: 4.4.0-112-generic - name: os.name level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -2258,13 +2226,11 @@ For example, an LDAP or Active Directory domain name.' - name: user.email level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: User email address. - name: user.full_name level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -2305,8 +2271,7 @@ description: Unique identifier of the user. - name: user.name level: core - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -2336,8 +2301,7 @@ example: 887 - name: request.body.content level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -2379,8 +2343,7 @@ default_field: false - name: request.referrer level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Referrer for this HTTP request. example: https://blog.example.com/ - name: response.body.bytes @@ -2391,8 +2354,7 @@ example: 887 - name: response.body.content level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -2478,8 +2440,7 @@ fields: - name: file.path level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: 'Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. @@ -2500,8 +2461,7 @@ example: error - name: logger level: core - type: keyword - ignore_above: 1024 + type: wildcard description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. example: org.elasticsearch.bootstrap.Bootstrap @@ -2847,8 +2807,7 @@ example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: geo.name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: 'User-defined description of a location, at the level of granularity they care about. @@ -2956,8 +2915,7 @@ example: debian - name: os.full level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -2973,8 +2931,7 @@ example: 4.4.0-112-generic - name: os.name level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -3057,8 +3014,7 @@ description: Unique identifier for the organization. - name: name level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -3079,8 +3035,7 @@ example: debian - name: full level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -3096,8 +3051,7 @@ example: 4.4.0-112-generic - name: name level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -3277,8 +3231,7 @@ default_field: false - name: original_file_name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false @@ -3362,8 +3315,7 @@ default_field: false - name: command_line level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -3391,8 +3343,7 @@ default_field: false - name: executable level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -3431,8 +3382,7 @@ description: SHA512 hash. - name: name level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -3506,8 +3456,7 @@ default_field: false - name: parent.command_line level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -3535,8 +3484,7 @@ default_field: false - name: parent.executable level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -3579,8 +3527,7 @@ default_field: false - name: parent.name level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -3631,8 +3578,7 @@ default_field: false - name: parent.pe.original_file_name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false @@ -3678,15 +3624,13 @@ default_field: false - name: parent.thread.name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Thread name. example: thread-0 default_field: false - name: parent.title level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -3704,8 +3648,7 @@ default_field: false - name: parent.working_directory level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -3754,8 +3697,7 @@ default_field: false - name: pe.original_file_name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false @@ -3796,14 +3738,12 @@ example: 4242 - name: thread.name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Thread name. example: thread-0 - name: title level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -3820,8 +3760,7 @@ example: 1325 - name: working_directory level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -3848,8 +3787,7 @@ default_field: false - name: data.strings level: core - type: keyword - ignore_above: 1024 + type: wildcard description: 'Content when writing string types. Populated as an array when writing string data to the registry. For single @@ -3875,15 +3813,13 @@ default_field: false - name: key level: core - type: keyword - ignore_above: 1024 + type: wildcard description: Hive-relative path of keys. example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe default_field: false - name: path level: core - type: keyword - ignore_above: 1024 + type: wildcard description: Full path, including hive, key and value example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger @@ -4068,8 +4004,7 @@ example: 15169 - name: as.organization.name level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -4085,8 +4020,7 @@ example: 184 - name: domain level: core - type: keyword - ignore_above: 1024 + type: wildcard description: Server domain. - name: geo.city_name level: core @@ -4119,8 +4053,7 @@ example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: geo.name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: 'User-defined description of a location, at the level of granularity they care about. @@ -4177,8 +4110,7 @@ description: Port of the server. - name: registered_domain level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: 'The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". @@ -4222,13 +4154,11 @@ For example, an LDAP or Active Directory domain name.' - name: user.email level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: User email address. - name: user.full_name level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -4269,8 +4199,7 @@ description: Unique identifier of the user. - name: user.name level: core - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -4404,8 +4333,7 @@ example: 15169 - name: as.organization.name level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -4421,8 +4349,7 @@ example: 184 - name: domain level: core - type: keyword - ignore_above: 1024 + type: wildcard description: Source domain. - name: geo.city_name level: core @@ -4455,8 +4382,7 @@ example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: geo.name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: 'User-defined description of a location, at the level of granularity they care about. @@ -4513,8 +4439,7 @@ description: Port of the source. - name: registered_domain level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: 'The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". @@ -4558,13 +4483,11 @@ For example, an LDAP or Active Directory domain name.' - name: user.email level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: User email address. - name: user.full_name level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -4605,8 +4528,7 @@ description: Unique identifier of the user. - name: user.name level: core - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -4780,8 +4702,7 @@ default_field: false - name: client.issuer level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com @@ -4819,8 +4740,7 @@ default_field: false - name: client.subject level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Distinguished name of subject of the x.509 certificate presented by the client. example: CN=myclient, OU=Documentation Team, DC=example, DC=com @@ -4858,8 +4778,7 @@ default_field: false - name: client.x509.issuer.distinguished_name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA @@ -4965,8 +4884,7 @@ default_field: false - name: client.x509.subject.distinguished_name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net default_field: false @@ -5079,8 +4997,7 @@ default_field: false - name: server.issuer level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Subject of the issuer of the x.509 certificate presented by the server. example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com @@ -5109,8 +5026,7 @@ default_field: false - name: server.subject level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Subject of the x.509 certificate presented by the server. example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com default_field: false @@ -5139,8 +5055,7 @@ default_field: false - name: server.x509.issuer.distinguished_name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA @@ -5246,8 +5161,7 @@ default_field: false - name: server.x509.subject.distinguished_name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net default_field: false @@ -5336,8 +5250,7 @@ fields: - name: domain level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: 'Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain @@ -5371,8 +5284,7 @@ The `#` is not part of the fragment.' - name: full level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -5384,8 +5296,7 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top - name: original level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -5405,8 +5316,7 @@ description: Password of the request. - name: path level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Path of the request, such as "/search". - name: port level: extended @@ -5427,8 +5337,7 @@ the two cases.' - name: registered_domain level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: 'The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". @@ -5496,14 +5405,12 @@ default_field: false - name: changes.email level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: User email address. default_field: false - name: changes.full_name level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -5549,8 +5456,7 @@ default_field: false - name: changes.name level: core - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -5582,14 +5488,12 @@ default_field: false - name: effective.email level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: User email address. default_field: false - name: effective.full_name level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -5635,8 +5539,7 @@ default_field: false - name: effective.name level: core - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -5653,13 +5556,11 @@ default_field: false - name: email level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: User email address. - name: full_name level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -5700,8 +5601,7 @@ description: Unique identifier of the user. - name: name level: core - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -5726,14 +5626,12 @@ default_field: false - name: target.email level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: User email address. default_field: false - name: target.full_name level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -5779,8 +5677,7 @@ default_field: false - name: target.name level: core - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -5817,8 +5714,7 @@ example: Safari - name: original level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -5834,8 +5730,7 @@ example: debian - name: os.full level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -5851,8 +5746,7 @@ example: 4.4.0-112-generic - name: os.name level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -6099,8 +5993,7 @@ default_field: false - name: issuer.distinguished_name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA @@ -6206,8 +6099,7 @@ default_field: false - name: subject.distinguished_name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net default_field: false diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 90d2496342..0c6e8374cf 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -18,6 +18,8 @@ short: Date/time when the event originated. type: date agent.build.original: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: agent-build-original description: 'Extended build information for the agent. @@ -26,12 +28,11 @@ agent.build.original: example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC] flat_name: agent.build.original - ignore_above: 1024 level: core name: build.original normalize: [] short: Extended build information for the agent. - type: keyword + type: wildcard agent.ephemeral_id: dashed_name: agent-ephemeral-id description: 'Ephemeral identifier of this agent (if one exists). @@ -129,11 +130,12 @@ client.as.number: short: Unique number allocated to the autonomous system. type: long client.as.organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: client-as-organization-name description: Organization name. example: Google LLC flat_name: client.as.organization.name - ignore_above: 1024 level: extended multi_fields: - flat_name: client.as.organization.name.text @@ -144,7 +146,7 @@ client.as.organization.name: normalize: [] original_fieldset: as short: Organization name. - type: keyword + type: wildcard client.bytes: dashed_name: client-bytes description: Bytes sent from the client to the server. @@ -157,15 +159,16 @@ client.bytes: short: Bytes sent from the client to the server. type: long client.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: client-domain description: Client domain. flat_name: client.domain - ignore_above: 1024 level: core name: domain normalize: [] short: Client domain. - type: keyword + type: wildcard client.geo.city_name: dashed_name: client-geo-city-name description: City name. @@ -226,6 +229,8 @@ client.geo.location: short: Longitude and latitude. type: geo_point client.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: client-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -236,13 +241,12 @@ client.geo.name: Not typically used in automated geolocation.' example: boston-dc flat_name: client.geo.name - ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: geo short: User-defined description of a location. - type: keyword + type: wildcard client.geo.region_iso_code: dashed_name: client-geo-region-iso-code description: Region ISO code. @@ -332,6 +336,8 @@ client.port: short: Port of the client. type: long client.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: client-registered-domain description: 'The highest registered client domain, stripped of the subdomain. @@ -342,12 +348,11 @@ client.registered_domain: two labels will not work well for TLDs such as "co.uk".' example: example.com flat_name: client.registered_domain - ignore_above: 1024 level: extended name: registered_domain normalize: [] short: The highest registered client domain, stripped of the subdomain. - type: keyword + type: wildcard client.subdomain: dashed_name: client-subdomain description: 'The subdomain portion of a fully qualified domain name includes all @@ -397,22 +402,24 @@ client.user.domain: short: Name of the directory the user is a member of. type: keyword client.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: client-user-email description: User email address. flat_name: client.user.email - ignore_above: 1024 level: extended name: email normalize: [] original_fieldset: user short: User email address. - type: keyword + type: wildcard client.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: client-user-full-name description: User's full name, if available. example: Albert Einstein flat_name: client.user.full_name - ignore_above: 1024 level: extended multi_fields: - flat_name: client.user.full_name.text @@ -423,7 +430,7 @@ client.user.full_name: normalize: [] original_fieldset: user short: User's full name, if available. - type: keyword + type: wildcard client.user.group.domain: dashed_name: client-user-group-domain description: 'Name of the directory the group is a member of. @@ -486,11 +493,12 @@ client.user.id: short: Unique identifier of the user. type: keyword client.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: client-user-name description: Short name or login of the user. example: albert flat_name: client.user.name - ignore_above: 1024 level: core multi_fields: - flat_name: client.user.name.text @@ -501,7 +509,7 @@ client.user.name: normalize: [] original_fieldset: user short: Short name or login of the user. - type: keyword + type: wildcard client.user.roles: dashed_name: client-user-roles description: Array of user roles at the time of the event. @@ -725,11 +733,12 @@ destination.as.number: short: Unique number allocated to the autonomous system. type: long destination.as.organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: destination-as-organization-name description: Organization name. example: Google LLC flat_name: destination.as.organization.name - ignore_above: 1024 level: extended multi_fields: - flat_name: destination.as.organization.name.text @@ -740,7 +749,7 @@ destination.as.organization.name: normalize: [] original_fieldset: as short: Organization name. - type: keyword + type: wildcard destination.bytes: dashed_name: destination-bytes description: Bytes sent from the destination to the source. @@ -753,15 +762,16 @@ destination.bytes: short: Bytes sent from the destination to the source. type: long destination.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: destination-domain description: Destination domain. flat_name: destination.domain - ignore_above: 1024 level: core name: domain normalize: [] short: Destination domain. - type: keyword + type: wildcard destination.geo.city_name: dashed_name: destination-geo-city-name description: City name. @@ -822,6 +832,8 @@ destination.geo.location: short: Longitude and latitude. type: geo_point destination.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: destination-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -832,13 +844,12 @@ destination.geo.name: Not typically used in automated geolocation.' example: boston-dc flat_name: destination.geo.name - ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: geo short: User-defined description of a location. - type: keyword + type: wildcard destination.geo.region_iso_code: dashed_name: destination-geo-region-iso-code description: Region ISO code. @@ -927,6 +938,8 @@ destination.port: short: Port of the destination. type: long destination.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: destination-registered-domain description: 'The highest registered destination domain, stripped of the subdomain. @@ -937,12 +950,11 @@ destination.registered_domain: two labels will not work well for TLDs such as "co.uk".' example: example.com flat_name: destination.registered_domain - ignore_above: 1024 level: extended name: registered_domain normalize: [] short: The highest registered destination domain, stripped of the subdomain. - type: keyword + type: wildcard destination.subdomain: dashed_name: destination-subdomain description: 'The subdomain portion of a fully qualified domain name includes all @@ -992,22 +1004,24 @@ destination.user.domain: short: Name of the directory the user is a member of. type: keyword destination.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: destination-user-email description: User email address. flat_name: destination.user.email - ignore_above: 1024 level: extended name: email normalize: [] original_fieldset: user short: User email address. - type: keyword + type: wildcard destination.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: destination-user-full-name description: User's full name, if available. example: Albert Einstein flat_name: destination.user.full_name - ignore_above: 1024 level: extended multi_fields: - flat_name: destination.user.full_name.text @@ -1018,7 +1032,7 @@ destination.user.full_name: normalize: [] original_fieldset: user short: User's full name, if available. - type: keyword + type: wildcard destination.user.group.domain: dashed_name: destination-user-group-domain description: 'Name of the directory the group is a member of. @@ -1081,11 +1095,12 @@ destination.user.id: short: Unique identifier of the user. type: keyword destination.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: destination-user-name description: Short name or login of the user. example: albert flat_name: destination.user.name - ignore_above: 1024 level: core multi_fields: - flat_name: destination.user.name.text @@ -1096,7 +1111,7 @@ destination.user.name: normalize: [] original_fieldset: user short: Short name or login of the user. - type: keyword + type: wildcard destination.user.roles: dashed_name: destination-user-roles description: Array of user roles at the time of the event. @@ -1311,17 +1326,18 @@ dll.pe.imphash: short: A hash of the imports in a PE file. type: keyword dll.pe.original_file_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: dll-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE flat_name: dll.pe.original_file_name - ignore_above: 1024 level: extended name: original_file_name normalize: [] original_fieldset: pe short: Internal name of the file, provided at compile-time. - type: keyword + type: wildcard dll.pe.product: dashed_name: dll-pe-product description: Internal product name of the file, provided at compile-time. @@ -1365,18 +1381,19 @@ dns.answers.class: short: The class of DNS data contained in this resource record. type: keyword dns.answers.data: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: dns-answers-data description: 'The data describing the resource. The meaning of this data depends on the type and class of the resource record.' example: 10.10.10.10 flat_name: dns.answers.data - ignore_above: 1024 level: extended name: answers.data normalize: [] short: The data describing the resource. - type: keyword + type: wildcard dns.answers.name: dashed_name: dns-answers-name description: 'The domain name to which this resource record pertains. @@ -1466,6 +1483,8 @@ dns.question.class: short: The class of records being queried. type: keyword dns.question.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: dns-question-name description: 'The name being queried. @@ -1475,12 +1494,11 @@ dns.question.name: converted to \t, \r, and \n respectively.' example: www.example.com flat_name: dns.question.name - ignore_above: 1024 level: extended name: question.name normalize: [] short: The name being queried. - type: keyword + type: wildcard dns.question.registered_domain: dashed_name: dns-question-registered-domain description: 'The highest registered domain, stripped of the subdomain. @@ -1633,12 +1651,11 @@ error.message: short: Error message. type: text error.stack_trace: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: error-stack-trace description: The stack trace of this error in plain text. - doc_values: false flat_name: error.stack_trace - ignore_above: 1024 - index: false level: extended multi_fields: - flat_name: error.stack_trace.text @@ -1648,18 +1665,19 @@ error.stack_trace: name: stack_trace normalize: [] short: The stack trace of this error in plain text. - type: keyword + type: wildcard error.type: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: error-type description: The type of the error, for example the class name of the exception. example: java.lang.NullPointerException flat_name: error.type - ignore_above: 1024 level: extended name: type normalize: [] short: The type of the error, for example the class name of the exception. - type: keyword + type: wildcard event.action: dashed_name: event-action description: 'The action captured by the event. @@ -2073,7 +2091,8 @@ event.original: description: 'Raw text message of entire event. Used to demonstrate log integrity. This field is not indexed and doc_values are disabled. It cannot be searched, - but it can be retrieved from `_source`.' + but it can be retrieved from `_source`. If users wish to override this and index + this field, consider using the wildcard data type.' doc_values: false example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 @@ -2536,17 +2555,18 @@ file.device: short: Device that is the source of the file. type: keyword file.directory: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: file-directory description: Directory where the file is located. It should include the drive letter, when appropriate. example: /home/alice flat_name: file.directory - ignore_above: 1024 level: extended name: directory normalize: [] short: Directory where the file is located. - type: keyword + type: wildcard file.drive_letter: dashed_name: file-drive-letter description: 'Drive letter where the file is located. This field is only relevant @@ -2708,12 +2728,13 @@ file.owner: short: File owner's username. type: keyword file.path: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: file-path description: Full path to the file, including the file name. It should include the drive letter, when appropriate. example: /home/alice/example.png flat_name: file.path - ignore_above: 1024 level: extended multi_fields: - flat_name: file.path.text @@ -2723,7 +2744,7 @@ file.path: name: path normalize: [] short: Full path to the file, including the file name. - type: keyword + type: wildcard file.pe.architecture: dashed_name: file-pe-architecture description: CPU architecture target for the file. @@ -2789,17 +2810,18 @@ file.pe.imphash: short: A hash of the imports in a PE file. type: keyword file.pe.original_file_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: file-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE flat_name: file.pe.original_file_name - ignore_above: 1024 level: extended name: original_file_name normalize: [] original_fieldset: pe short: Internal name of the file, provided at compile-time. - type: keyword + type: wildcard file.pe.product: dashed_name: file-pe-product description: Internal product name of the file, provided at compile-time. @@ -2825,10 +2847,11 @@ file.size: short: File size in bytes. type: long file.target_path: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: file-target-path description: Target path for symlinks. flat_name: file.target_path - ignore_above: 1024 level: extended multi_fields: - flat_name: file.target_path.text @@ -2838,7 +2861,7 @@ file.target_path: name: target_path normalize: [] short: Target path for symlinks. - type: keyword + type: wildcard file.type: dashed_name: file-type description: File type (file, dir, or symlink). @@ -2903,18 +2926,19 @@ file.x509.issuer.country: short: List of country (C) codes type: keyword file.x509.issuer.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: file-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA flat_name: file.x509.issuer.distinguished_name - ignore_above: 1024 level: extended name: issuer.distinguished_name normalize: [] original_fieldset: x509 short: Distinguished name (DN) of issuing certificate authority. - type: keyword + type: wildcard file.x509.issuer.locality: dashed_name: file-x509-issuer-locality description: List of locality names (L) @@ -3093,17 +3117,18 @@ file.x509.subject.country: short: List of country (C) code type: keyword file.x509.subject.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: file-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net flat_name: file.x509.subject.distinguished_name - ignore_above: 1024 level: extended name: subject.distinguished_name normalize: [] original_fieldset: x509 short: Distinguished name (DN) of the certificate subject entity. - type: keyword + type: wildcard file.x509.subject.locality: dashed_name: file-x509-subject-locality description: List of locality names (L) @@ -3284,6 +3309,8 @@ host.geo.location: short: Longitude and latitude. type: geo_point host.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: host-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -3294,13 +3321,12 @@ host.geo.name: Not typically used in automated geolocation.' example: boston-dc flat_name: host.geo.name - ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: geo short: User-defined description of a location. - type: keyword + type: wildcard host.geo.region_iso_code: dashed_name: host-geo-region-iso-code description: Region ISO code. @@ -3326,17 +3352,18 @@ host.geo.region_name: short: Region name. type: keyword host.hostname: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: host-hostname description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' flat_name: host.hostname - ignore_above: 1024 level: core name: hostname normalize: [] short: Hostname of the host. - type: keyword + type: wildcard host.id: dashed_name: host-id description: 'Unique host id. @@ -3398,11 +3425,12 @@ host.os.family: short: OS family (such as redhat, debian, freebsd, windows). type: keyword host.os.full: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: host-os-full description: Operating system name, including the version or code name. example: Mac OS Mojave flat_name: host.os.full - ignore_above: 1024 level: extended multi_fields: - flat_name: host.os.full.text @@ -3413,7 +3441,7 @@ host.os.full: normalize: [] original_fieldset: os short: Operating system name, including the version or code name. - type: keyword + type: wildcard host.os.kernel: dashed_name: host-os-kernel description: Operating system kernel version as a raw string. @@ -3427,11 +3455,12 @@ host.os.kernel: short: Operating system kernel version as a raw string. type: keyword host.os.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: host-os-name description: Operating system name, without the version. example: Mac OS X flat_name: host.os.name - ignore_above: 1024 level: extended multi_fields: - flat_name: host.os.name.text @@ -3442,7 +3471,7 @@ host.os.name: normalize: [] original_fieldset: os short: Operating system name, without the version. - type: keyword + type: wildcard host.os.platform: dashed_name: host-os-platform description: Operating system platform (such centos, ubuntu, windows). @@ -3523,22 +3552,24 @@ host.user.domain: short: Name of the directory the user is a member of. type: keyword host.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: host-user-email description: User email address. flat_name: host.user.email - ignore_above: 1024 level: extended name: email normalize: [] original_fieldset: user short: User email address. - type: keyword + type: wildcard host.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: host-user-full-name description: User's full name, if available. example: Albert Einstein flat_name: host.user.full_name - ignore_above: 1024 level: extended multi_fields: - flat_name: host.user.full_name.text @@ -3549,7 +3580,7 @@ host.user.full_name: normalize: [] original_fieldset: user short: User's full name, if available. - type: keyword + type: wildcard host.user.group.domain: dashed_name: host-user-group-domain description: 'Name of the directory the group is a member of. @@ -3612,11 +3643,12 @@ host.user.id: short: Unique identifier of the user. type: keyword host.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: host-user-name description: Short name or login of the user. example: albert flat_name: host.user.name - ignore_above: 1024 level: core multi_fields: - flat_name: host.user.name.text @@ -3627,7 +3659,7 @@ host.user.name: normalize: [] original_fieldset: user short: Short name or login of the user. - type: keyword + type: wildcard host.user.roles: dashed_name: host-user-roles description: Array of user roles at the time of the event. @@ -3653,11 +3685,12 @@ http.request.body.bytes: short: Size in bytes of the request body. type: long http.request.body.content: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: http-request-body-content description: The full HTTP request body. example: Hello world flat_name: http.request.body.content - ignore_above: 1024 level: extended multi_fields: - flat_name: http.request.body.content.text @@ -3667,7 +3700,7 @@ http.request.body.content: name: request.body.content normalize: [] short: The full HTTP request body. - type: keyword + type: wildcard http.request.bytes: dashed_name: http-request-bytes description: Total size in bytes of the request (body and headers). @@ -3713,16 +3746,17 @@ http.request.mime_type: short: Mime type of the body of the request. type: keyword http.request.referrer: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: http-request-referrer description: Referrer for this HTTP request. example: https://blog.example.com/ flat_name: http.request.referrer - ignore_above: 1024 level: extended name: request.referrer normalize: [] short: Referrer for this HTTP request. - type: keyword + type: wildcard http.response.body.bytes: dashed_name: http-response-body-bytes description: Size in bytes of the response body. @@ -3735,11 +3769,12 @@ http.response.body.bytes: short: Size in bytes of the response body. type: long http.response.body.content: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: http-response-body-content description: The full HTTP response body. example: Hello world flat_name: http.response.body.content - ignore_above: 1024 level: extended multi_fields: - flat_name: http.response.body.content.text @@ -3749,7 +3784,7 @@ http.response.body.content: name: response.body.content normalize: [] short: The full HTTP response body. - type: keyword + type: wildcard http.response.bytes: dashed_name: http-response-bytes description: Total size in bytes of the response (body and headers). @@ -3815,6 +3850,8 @@ labels: short: Custom key/value pairs. type: object log.file.path: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: log-file-path description: 'Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. @@ -3822,12 +3859,11 @@ log.file.path: If the event wasn''t read from a log file, do not populate this field.' example: /var/log/fun-times.log flat_name: log.file.path - ignore_above: 1024 level: extended name: file.path normalize: [] short: Full path to the log file this event came from. - type: keyword + type: wildcard log.level: dashed_name: log-level description: 'Original log level of the log event. @@ -3846,17 +3882,18 @@ log.level: short: Log level of the log event. type: keyword log.logger: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: log-logger description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. example: org.elasticsearch.bootstrap.Bootstrap flat_name: log.logger - ignore_above: 1024 level: core name: logger normalize: [] short: Name of the logger. - type: keyword + type: wildcard log.origin.file.line: dashed_name: log-origin-file-line description: The line number of the file containing the source code which originated @@ -4377,6 +4414,8 @@ observer.geo.location: short: Longitude and latitude. type: geo_point observer.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: observer-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -4387,13 +4426,12 @@ observer.geo.name: Not typically used in automated geolocation.' example: boston-dc flat_name: observer.geo.name - ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: geo short: User-defined description of a location. - type: keyword + type: wildcard observer.geo.region_iso_code: dashed_name: observer-geo-region-iso-code description: Region ISO code. @@ -4564,11 +4602,12 @@ observer.os.family: short: OS family (such as redhat, debian, freebsd, windows). type: keyword observer.os.full: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: observer-os-full description: Operating system name, including the version or code name. example: Mac OS Mojave flat_name: observer.os.full - ignore_above: 1024 level: extended multi_fields: - flat_name: observer.os.full.text @@ -4579,7 +4618,7 @@ observer.os.full: normalize: [] original_fieldset: os short: Operating system name, including the version or code name. - type: keyword + type: wildcard observer.os.kernel: dashed_name: observer-os-kernel description: Operating system kernel version as a raw string. @@ -4593,11 +4632,12 @@ observer.os.kernel: short: Operating system kernel version as a raw string. type: keyword observer.os.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: observer-os-name description: Operating system name, without the version. example: Mac OS X flat_name: observer.os.name - ignore_above: 1024 level: extended multi_fields: - flat_name: observer.os.name.text @@ -4608,7 +4648,7 @@ observer.os.name: normalize: [] original_fieldset: os short: Operating system name, without the version. - type: keyword + type: wildcard observer.os.platform: dashed_name: observer-os-platform description: Operating system platform (such centos, ubuntu, windows). @@ -4719,10 +4759,11 @@ organization.id: short: Unique identifier for the organization. type: keyword organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: organization-name description: Organization name. flat_name: organization.name - ignore_above: 1024 level: extended multi_fields: - flat_name: organization.name.text @@ -4732,7 +4773,7 @@ organization.name: name: name normalize: [] short: Organization name. - type: keyword + type: wildcard package.architecture: dashed_name: package-architecture description: Package architecture. @@ -4980,6 +5021,8 @@ process.code_signature.valid: content. type: boolean process.command_line: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-command-line description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. @@ -4987,7 +5030,6 @@ process.command_line: Some arguments may be filtered to protect sensitive information.' example: /usr/bin/ssh -l user 10.0.0.16 flat_name: process.command_line - ignore_above: 1024 level: extended multi_fields: - flat_name: process.command_line.text @@ -4997,7 +5039,7 @@ process.command_line: name: command_line normalize: [] short: Full command line that started the process. - type: keyword + type: wildcard process.entity_id: dashed_name: process-entity-id description: 'Unique identifier for the process. @@ -5018,11 +5060,12 @@ process.entity_id: short: Unique identifier for the process. type: keyword process.executable: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-executable description: Absolute path to the process executable. example: /usr/bin/ssh flat_name: process.executable - ignore_above: 1024 level: extended multi_fields: - flat_name: process.executable.text @@ -5032,7 +5075,7 @@ process.executable: name: executable normalize: [] short: Absolute path to the process executable. - type: keyword + type: wildcard process.exit_code: dashed_name: process-exit-code description: 'The exit code of the process, if this is a termination event. @@ -5091,13 +5134,14 @@ process.hash.sha512: short: SHA512 hash. type: keyword process.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-name description: 'Process name. Sometimes called program name or similar.' example: ssh flat_name: process.name - ignore_above: 1024 level: extended multi_fields: - flat_name: process.name.text @@ -5107,7 +5151,7 @@ process.name: name: name normalize: [] short: Process name. - type: keyword + type: wildcard process.parent.args: dashed_name: process-parent-args description: 'Array of process arguments, starting with the absolute path to the @@ -5208,6 +5252,8 @@ process.parent.code_signature.valid: content. type: boolean process.parent.command_line: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-parent-command-line description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. @@ -5215,7 +5261,6 @@ process.parent.command_line: Some arguments may be filtered to protect sensitive information.' example: /usr/bin/ssh -l user 10.0.0.16 flat_name: process.parent.command_line - ignore_above: 1024 level: extended multi_fields: - flat_name: process.parent.command_line.text @@ -5226,7 +5271,7 @@ process.parent.command_line: normalize: [] original_fieldset: process short: Full command line that started the process. - type: keyword + type: wildcard process.parent.entity_id: dashed_name: process-parent-entity-id description: 'Unique identifier for the process. @@ -5248,11 +5293,12 @@ process.parent.entity_id: short: Unique identifier for the process. type: keyword process.parent.executable: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-parent-executable description: Absolute path to the process executable. example: /usr/bin/ssh flat_name: process.parent.executable - ignore_above: 1024 level: extended multi_fields: - flat_name: process.parent.executable.text @@ -5263,7 +5309,7 @@ process.parent.executable: normalize: [] original_fieldset: process short: Absolute path to the process executable. - type: keyword + type: wildcard process.parent.exit_code: dashed_name: process-parent-exit-code description: 'The exit code of the process, if this is a termination event. @@ -5323,13 +5369,14 @@ process.parent.hash.sha512: short: SHA512 hash. type: keyword process.parent.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-parent-name description: 'Process name. Sometimes called program name or similar.' example: ssh flat_name: process.parent.name - ignore_above: 1024 level: extended multi_fields: - flat_name: process.parent.name.text @@ -5340,7 +5387,7 @@ process.parent.name: normalize: [] original_fieldset: process short: Process name. - type: keyword + type: wildcard process.parent.pe.architecture: dashed_name: process-parent-pe-architecture description: CPU architecture target for the file. @@ -5406,17 +5453,18 @@ process.parent.pe.imphash: short: A hash of the imports in a PE file. type: keyword process.parent.pe.original_file_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-parent-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE flat_name: process.parent.pe.original_file_name - ignore_above: 1024 level: extended name: original_file_name normalize: [] original_fieldset: pe short: Internal name of the file, provided at compile-time. - type: keyword + type: wildcard process.parent.pe.product: dashed_name: process-parent-pe-product description: Internal product name of the file, provided at compile-time. @@ -5488,25 +5536,27 @@ process.parent.thread.id: short: Thread ID. type: long process.parent.thread.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-parent-thread-name description: Thread name. example: thread-0 flat_name: process.parent.thread.name - ignore_above: 1024 level: extended name: thread.name normalize: [] original_fieldset: process short: Thread name. - type: keyword + type: wildcard process.parent.title: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-parent-title description: 'Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.' flat_name: process.parent.title - ignore_above: 1024 level: extended multi_fields: - flat_name: process.parent.title.text @@ -5517,7 +5567,7 @@ process.parent.title: normalize: [] original_fieldset: process short: Process title. - type: keyword + type: wildcard process.parent.uptime: dashed_name: process-parent-uptime description: Seconds the process has been up. @@ -5530,11 +5580,12 @@ process.parent.uptime: short: Seconds the process has been up. type: long process.parent.working_directory: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-parent-working-directory description: The working directory of the process. example: /home/alice flat_name: process.parent.working_directory - ignore_above: 1024 level: extended multi_fields: - flat_name: process.parent.working_directory.text @@ -5545,7 +5596,7 @@ process.parent.working_directory: normalize: [] original_fieldset: process short: The working directory of the process. - type: keyword + type: wildcard process.pe.architecture: dashed_name: process-pe-architecture description: CPU architecture target for the file. @@ -5611,17 +5662,18 @@ process.pe.imphash: short: A hash of the imports in a PE file. type: keyword process.pe.original_file_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE flat_name: process.pe.original_file_name - ignore_above: 1024 level: extended name: original_file_name normalize: [] original_fieldset: pe short: Internal name of the file, provided at compile-time. - type: keyword + type: wildcard process.pe.product: dashed_name: process-pe-product description: Internal product name of the file, provided at compile-time. @@ -5688,24 +5740,26 @@ process.thread.id: short: Thread ID. type: long process.thread.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-thread-name description: Thread name. example: thread-0 flat_name: process.thread.name - ignore_above: 1024 level: extended name: thread.name normalize: [] short: Thread name. - type: keyword + type: wildcard process.title: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-title description: 'Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.' flat_name: process.title - ignore_above: 1024 level: extended multi_fields: - flat_name: process.title.text @@ -5715,7 +5769,7 @@ process.title: name: title normalize: [] short: Process title. - type: keyword + type: wildcard process.uptime: dashed_name: process-uptime description: Seconds the process has been up. @@ -5727,11 +5781,12 @@ process.uptime: short: Seconds the process has been up. type: long process.working_directory: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-working-directory description: The working directory of the process. example: /home/alice flat_name: process.working_directory - ignore_above: 1024 level: extended multi_fields: - flat_name: process.working_directory.text @@ -5741,7 +5796,7 @@ process.working_directory: name: working_directory normalize: [] short: The working directory of the process. - type: keyword + type: wildcard registry.data.bytes: dashed_name: registry-data-bytes description: 'Original bytes written with base64 encoding. @@ -5758,6 +5813,8 @@ registry.data.bytes: short: Original bytes written with base64 encoding. type: keyword registry.data.strings: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: registry-data-strings description: 'Content when writing string types. @@ -5768,13 +5825,12 @@ registry.data.strings: the decimal representation (e.g `"1"`).' example: '["C:\rta\red_ttp\bin\myapp.exe"]' flat_name: registry.data.strings - ignore_above: 1024 level: core name: data.strings normalize: - array short: List of strings representing what was written to the registry. - type: keyword + type: wildcard registry.data.type: dashed_name: registry-data-type description: Standard registry type for encoding contents @@ -5798,28 +5854,30 @@ registry.hive: short: Abbreviated name for the hive. type: keyword registry.key: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: registry-key description: Hive-relative path of keys. example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe flat_name: registry.key - ignore_above: 1024 level: core name: key normalize: [] short: Hive-relative path of keys. - type: keyword + type: wildcard registry.path: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: registry-path description: Full path, including hive, key and value example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger flat_name: registry.path - ignore_above: 1024 level: core name: path normalize: [] short: Full path, including hive, key and value - type: keyword + type: wildcard registry.value: dashed_name: registry-value description: Name of the value written. @@ -6027,11 +6085,12 @@ server.as.number: short: Unique number allocated to the autonomous system. type: long server.as.organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: server-as-organization-name description: Organization name. example: Google LLC flat_name: server.as.organization.name - ignore_above: 1024 level: extended multi_fields: - flat_name: server.as.organization.name.text @@ -6042,7 +6101,7 @@ server.as.organization.name: normalize: [] original_fieldset: as short: Organization name. - type: keyword + type: wildcard server.bytes: dashed_name: server-bytes description: Bytes sent from the server to the client. @@ -6055,15 +6114,16 @@ server.bytes: short: Bytes sent from the server to the client. type: long server.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: server-domain description: Server domain. flat_name: server.domain - ignore_above: 1024 level: core name: domain normalize: [] short: Server domain. - type: keyword + type: wildcard server.geo.city_name: dashed_name: server-geo-city-name description: City name. @@ -6124,6 +6184,8 @@ server.geo.location: short: Longitude and latitude. type: geo_point server.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: server-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -6134,13 +6196,12 @@ server.geo.name: Not typically used in automated geolocation.' example: boston-dc flat_name: server.geo.name - ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: geo short: User-defined description of a location. - type: keyword + type: wildcard server.geo.region_iso_code: dashed_name: server-geo-region-iso-code description: Region ISO code. @@ -6230,6 +6291,8 @@ server.port: short: Port of the server. type: long server.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: server-registered-domain description: 'The highest registered server domain, stripped of the subdomain. @@ -6240,12 +6303,11 @@ server.registered_domain: two labels will not work well for TLDs such as "co.uk".' example: example.com flat_name: server.registered_domain - ignore_above: 1024 level: extended name: registered_domain normalize: [] short: The highest registered server domain, stripped of the subdomain. - type: keyword + type: wildcard server.subdomain: dashed_name: server-subdomain description: 'The subdomain portion of a fully qualified domain name includes all @@ -6295,22 +6357,24 @@ server.user.domain: short: Name of the directory the user is a member of. type: keyword server.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: server-user-email description: User email address. flat_name: server.user.email - ignore_above: 1024 level: extended name: email normalize: [] original_fieldset: user short: User email address. - type: keyword + type: wildcard server.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: server-user-full-name description: User's full name, if available. example: Albert Einstein flat_name: server.user.full_name - ignore_above: 1024 level: extended multi_fields: - flat_name: server.user.full_name.text @@ -6321,7 +6385,7 @@ server.user.full_name: normalize: [] original_fieldset: user short: User's full name, if available. - type: keyword + type: wildcard server.user.group.domain: dashed_name: server-user-group-domain description: 'Name of the directory the group is a member of. @@ -6384,11 +6448,12 @@ server.user.id: short: Unique identifier of the user. type: keyword server.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: server-user-name description: Short name or login of the user. example: albert flat_name: server.user.name - ignore_above: 1024 level: core multi_fields: - flat_name: server.user.name.text @@ -6399,7 +6464,7 @@ server.user.name: normalize: [] original_fieldset: user short: Short name or login of the user. - type: keyword + type: wildcard server.user.roles: dashed_name: server-user-roles description: Array of user roles at the time of the event. @@ -6553,11 +6618,12 @@ source.as.number: short: Unique number allocated to the autonomous system. type: long source.as.organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: source-as-organization-name description: Organization name. example: Google LLC flat_name: source.as.organization.name - ignore_above: 1024 level: extended multi_fields: - flat_name: source.as.organization.name.text @@ -6568,7 +6634,7 @@ source.as.organization.name: normalize: [] original_fieldset: as short: Organization name. - type: keyword + type: wildcard source.bytes: dashed_name: source-bytes description: Bytes sent from the source to the destination. @@ -6581,15 +6647,16 @@ source.bytes: short: Bytes sent from the source to the destination. type: long source.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: source-domain description: Source domain. flat_name: source.domain - ignore_above: 1024 level: core name: domain normalize: [] short: Source domain. - type: keyword + type: wildcard source.geo.city_name: dashed_name: source-geo-city-name description: City name. @@ -6650,6 +6717,8 @@ source.geo.location: short: Longitude and latitude. type: geo_point source.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: source-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -6660,13 +6729,12 @@ source.geo.name: Not typically used in automated geolocation.' example: boston-dc flat_name: source.geo.name - ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: geo short: User-defined description of a location. - type: keyword + type: wildcard source.geo.region_iso_code: dashed_name: source-geo-region-iso-code description: Region ISO code. @@ -6756,6 +6824,8 @@ source.port: short: Port of the source. type: long source.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: source-registered-domain description: 'The highest registered source domain, stripped of the subdomain. @@ -6766,12 +6836,11 @@ source.registered_domain: two labels will not work well for TLDs such as "co.uk".' example: example.com flat_name: source.registered_domain - ignore_above: 1024 level: extended name: registered_domain normalize: [] short: The highest registered source domain, stripped of the subdomain. - type: keyword + type: wildcard source.subdomain: dashed_name: source-subdomain description: 'The subdomain portion of a fully qualified domain name includes all @@ -6821,22 +6890,24 @@ source.user.domain: short: Name of the directory the user is a member of. type: keyword source.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: source-user-email description: User email address. flat_name: source.user.email - ignore_above: 1024 level: extended name: email normalize: [] original_fieldset: user short: User email address. - type: keyword + type: wildcard source.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: source-user-full-name description: User's full name, if available. example: Albert Einstein flat_name: source.user.full_name - ignore_above: 1024 level: extended multi_fields: - flat_name: source.user.full_name.text @@ -6847,7 +6918,7 @@ source.user.full_name: normalize: [] original_fieldset: user short: User's full name, if available. - type: keyword + type: wildcard source.user.group.domain: dashed_name: source-user-group-domain description: 'Name of the directory the group is a member of. @@ -6910,11 +6981,12 @@ source.user.id: short: Unique identifier of the user. type: keyword source.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: source-user-name description: Short name or login of the user. example: albert flat_name: source.user.name - ignore_above: 1024 level: core multi_fields: - flat_name: source.user.name.text @@ -6925,7 +6997,7 @@ source.user.name: normalize: [] original_fieldset: user short: Short name or login of the user. - type: keyword + type: wildcard source.user.roles: dashed_name: source-user-roles description: Array of user roles at the time of the event. @@ -7189,18 +7261,19 @@ tls.client.hash.sha256: certificate offered by the client. type: keyword tls.client.issuer: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: tls-client-issuer description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com flat_name: tls.client.issuer - ignore_above: 1024 level: extended name: client.issuer normalize: [] short: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. - type: keyword + type: wildcard tls.client.ja3: dashed_name: tls-client-ja3 description: A hash that identifies clients based on how they perform an SSL/TLS @@ -7248,17 +7321,18 @@ tls.client.server_name: short: Hostname the client is trying to connect to. Also called the SNI. type: keyword tls.client.subject: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: tls-client-subject description: Distinguished name of subject of the x.509 certificate presented by the client. example: CN=myclient, OU=Documentation Team, DC=example, DC=com flat_name: tls.client.subject - ignore_above: 1024 level: extended name: client.subject normalize: [] short: Distinguished name of subject of the x.509 certificate presented by the client. - type: keyword + type: wildcard tls.client.supported_ciphers: dashed_name: tls-client-supported-ciphers description: Array of ciphers offered by the client during the client hello. @@ -7314,18 +7388,19 @@ tls.client.x509.issuer.country: short: List of country (C) codes type: keyword tls.client.x509.issuer.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: tls-client-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA flat_name: tls.client.x509.issuer.distinguished_name - ignore_above: 1024 level: extended name: issuer.distinguished_name normalize: [] original_fieldset: x509 short: Distinguished name (DN) of issuing certificate authority. - type: keyword + type: wildcard tls.client.x509.issuer.locality: dashed_name: tls-client-x509-issuer-locality description: List of locality names (L) @@ -7504,17 +7579,18 @@ tls.client.x509.subject.country: short: List of country (C) code type: keyword tls.client.x509.subject.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: tls-client-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net flat_name: tls.client.x509.subject.distinguished_name - ignore_above: 1024 level: extended name: subject.distinguished_name normalize: [] original_fieldset: x509 short: Distinguished name (DN) of the certificate subject entity. - type: keyword + type: wildcard tls.client.x509.subject.locality: dashed_name: tls-client-x509-subject-locality description: List of locality names (L) @@ -7695,16 +7771,17 @@ tls.server.hash.sha256: certificate offered by the server. type: keyword tls.server.issuer: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: tls-server-issuer description: Subject of the issuer of the x.509 certificate presented by the server. example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com flat_name: tls.server.issuer - ignore_above: 1024 level: extended name: server.issuer normalize: [] short: Subject of the issuer of the x.509 certificate presented by the server. - type: keyword + type: wildcard tls.server.ja3s: dashed_name: tls-server-ja3s description: A hash that identifies servers based on how they perform an SSL/TLS @@ -7739,16 +7816,17 @@ tls.server.not_before: short: Timestamp indicating when server certificate is first considered valid. type: date tls.server.subject: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: tls-server-subject description: Subject of the x.509 certificate presented by the server. example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com flat_name: tls.server.subject - ignore_above: 1024 level: extended name: server.subject normalize: [] short: Subject of the x.509 certificate presented by the server. - type: keyword + type: wildcard tls.server.x509.alternative_names: dashed_name: tls-server-x509-alternative-names description: List of subject alternative names (SAN). Name types vary by certificate @@ -7791,18 +7869,19 @@ tls.server.x509.issuer.country: short: List of country (C) codes type: keyword tls.server.x509.issuer.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: tls-server-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA flat_name: tls.server.x509.issuer.distinguished_name - ignore_above: 1024 level: extended name: issuer.distinguished_name normalize: [] original_fieldset: x509 short: Distinguished name (DN) of issuing certificate authority. - type: keyword + type: wildcard tls.server.x509.issuer.locality: dashed_name: tls-server-x509-issuer-locality description: List of locality names (L) @@ -7981,17 +8060,18 @@ tls.server.x509.subject.country: short: List of country (C) code type: keyword tls.server.x509.subject.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: tls-server-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net flat_name: tls.server.x509.subject.distinguished_name - ignore_above: 1024 level: extended name: subject.distinguished_name normalize: [] original_fieldset: x509 short: Distinguished name (DN) of the certificate subject entity. - type: keyword + type: wildcard tls.server.x509.subject.locality: dashed_name: tls-server-x509-subject-locality description: List of locality names (L) @@ -8106,6 +8186,8 @@ transaction.id: short: Unique identifier of the transaction within the scope of its trace. type: keyword url.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: url-domain description: 'Domain of the url, such as "www.elastic.co". @@ -8116,12 +8198,11 @@ url.domain: the `[` and `]` characters should also be captured in the `domain` field.' example: www.elastic.co flat_name: url.domain - ignore_above: 1024 level: extended name: domain normalize: [] short: Domain of the url. - type: keyword + type: wildcard url.extension: dashed_name: url-extension description: 'The field contains the file extension from the original request url, @@ -8155,12 +8236,13 @@ url.fragment: short: Portion of the url after the `#`. type: keyword url.full: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: url-full description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. example: https://www.elastic.co:443/search?q=elasticsearch#top flat_name: url.full - ignore_above: 1024 level: extended multi_fields: - flat_name: url.full.text @@ -8170,8 +8252,10 @@ url.full: name: full normalize: [] short: Full unparsed URL. - type: keyword + type: wildcard url.original: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: url-original description: 'Unmodified original url as seen in the event source. @@ -8181,7 +8265,6 @@ url.original: This field is meant to represent the URL as it was observed, complete or not.' example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch flat_name: url.original - ignore_above: 1024 level: extended multi_fields: - flat_name: url.original.text @@ -8191,7 +8274,7 @@ url.original: name: original normalize: [] short: Unmodified original url as seen in the event source. - type: keyword + type: wildcard url.password: dashed_name: url-password description: Password of the request. @@ -8203,15 +8286,16 @@ url.password: short: Password of the request. type: keyword url.path: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: url-path description: Path of the request, such as "/search". flat_name: url.path - ignore_above: 1024 level: extended name: path normalize: [] short: Path of the request, such as "/search". - type: keyword + type: wildcard url.port: dashed_name: url-port description: Port of the request, such as 443. @@ -8240,6 +8324,8 @@ url.query: short: Query string of the request. type: keyword url.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: url-registered-domain description: 'The highest registered url domain, stripped of the subdomain. @@ -8250,12 +8336,11 @@ url.registered_domain: two labels will not work well for TLDs such as "co.uk".' example: example.com flat_name: url.registered_domain - ignore_above: 1024 level: extended name: registered_domain normalize: [] short: The highest registered url domain, stripped of the subdomain. - type: keyword + type: wildcard url.scheme: dashed_name: url-scheme description: 'Scheme of the request, such as "https". @@ -8328,22 +8413,24 @@ user.changes.domain: short: Name of the directory the user is a member of. type: keyword user.changes.email: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-changes-email description: User email address. flat_name: user.changes.email - ignore_above: 1024 level: extended name: email normalize: [] original_fieldset: user short: User email address. - type: keyword + type: wildcard user.changes.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-changes-full-name description: User's full name, if available. example: Albert Einstein flat_name: user.changes.full_name - ignore_above: 1024 level: extended multi_fields: - flat_name: user.changes.full_name.text @@ -8354,7 +8441,7 @@ user.changes.full_name: normalize: [] original_fieldset: user short: User's full name, if available. - type: keyword + type: wildcard user.changes.group.domain: dashed_name: user-changes-group-domain description: 'Name of the directory the group is a member of. @@ -8417,11 +8504,12 @@ user.changes.id: short: Unique identifier of the user. type: keyword user.changes.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-changes-name description: Short name or login of the user. example: albert flat_name: user.changes.name - ignore_above: 1024 level: core multi_fields: - flat_name: user.changes.name.text @@ -8432,7 +8520,7 @@ user.changes.name: normalize: [] original_fieldset: user short: Short name or login of the user. - type: keyword + type: wildcard user.changes.roles: dashed_name: user-changes-roles description: Array of user roles at the time of the event. @@ -8472,22 +8560,24 @@ user.effective.domain: short: Name of the directory the user is a member of. type: keyword user.effective.email: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-effective-email description: User email address. flat_name: user.effective.email - ignore_above: 1024 level: extended name: email normalize: [] original_fieldset: user short: User email address. - type: keyword + type: wildcard user.effective.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-effective-full-name description: User's full name, if available. example: Albert Einstein flat_name: user.effective.full_name - ignore_above: 1024 level: extended multi_fields: - flat_name: user.effective.full_name.text @@ -8498,7 +8588,7 @@ user.effective.full_name: normalize: [] original_fieldset: user short: User's full name, if available. - type: keyword + type: wildcard user.effective.group.domain: dashed_name: user-effective-group-domain description: 'Name of the directory the group is a member of. @@ -8561,11 +8651,12 @@ user.effective.id: short: Unique identifier of the user. type: keyword user.effective.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-effective-name description: Short name or login of the user. example: albert flat_name: user.effective.name - ignore_above: 1024 level: core multi_fields: - flat_name: user.effective.name.text @@ -8576,7 +8667,7 @@ user.effective.name: normalize: [] original_fieldset: user short: Short name or login of the user. - type: keyword + type: wildcard user.effective.roles: dashed_name: user-effective-roles description: Array of user roles at the time of the event. @@ -8591,21 +8682,23 @@ user.effective.roles: short: Array of user roles at the time of the event. type: keyword user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-email description: User email address. flat_name: user.email - ignore_above: 1024 level: extended name: email normalize: [] short: User email address. - type: keyword + type: wildcard user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-full-name description: User's full name, if available. example: Albert Einstein flat_name: user.full_name - ignore_above: 1024 level: extended multi_fields: - flat_name: user.full_name.text @@ -8615,7 +8708,7 @@ user.full_name: name: full_name normalize: [] short: User's full name, if available. - type: keyword + type: wildcard user.group.domain: dashed_name: user-group-domain description: 'Name of the directory the group is a member of. @@ -8676,11 +8769,12 @@ user.id: short: Unique identifier of the user. type: keyword user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-name description: Short name or login of the user. example: albert flat_name: user.name - ignore_above: 1024 level: core multi_fields: - flat_name: user.name.text @@ -8690,7 +8784,7 @@ user.name: name: name normalize: [] short: Short name or login of the user. - type: keyword + type: wildcard user.roles: dashed_name: user-roles description: Array of user roles at the time of the event. @@ -8717,22 +8811,24 @@ user.target.domain: short: Name of the directory the user is a member of. type: keyword user.target.email: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-target-email description: User email address. flat_name: user.target.email - ignore_above: 1024 level: extended name: email normalize: [] original_fieldset: user short: User email address. - type: keyword + type: wildcard user.target.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-target-full-name description: User's full name, if available. example: Albert Einstein flat_name: user.target.full_name - ignore_above: 1024 level: extended multi_fields: - flat_name: user.target.full_name.text @@ -8743,7 +8839,7 @@ user.target.full_name: normalize: [] original_fieldset: user short: User's full name, if available. - type: keyword + type: wildcard user.target.group.domain: dashed_name: user-target-group-domain description: 'Name of the directory the group is a member of. @@ -8806,11 +8902,12 @@ user.target.id: short: Unique identifier of the user. type: keyword user.target.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-target-name description: Short name or login of the user. example: albert flat_name: user.target.name - ignore_above: 1024 level: core multi_fields: - flat_name: user.target.name.text @@ -8821,7 +8918,7 @@ user.target.name: normalize: [] original_fieldset: user short: Short name or login of the user. - type: keyword + type: wildcard user.target.roles: dashed_name: user-target-roles description: Array of user roles at the time of the event. @@ -8858,12 +8955,13 @@ user_agent.name: short: Name of the user agent. type: keyword user_agent.original: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-agent-original description: Unparsed user_agent string. example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 flat_name: user_agent.original - ignore_above: 1024 level: extended multi_fields: - flat_name: user_agent.original.text @@ -8873,7 +8971,7 @@ user_agent.original: name: original normalize: [] short: Unparsed user_agent string. - type: keyword + type: wildcard user_agent.os.family: dashed_name: user-agent-os-family description: OS family (such as redhat, debian, freebsd, windows). @@ -8887,11 +8985,12 @@ user_agent.os.family: short: OS family (such as redhat, debian, freebsd, windows). type: keyword user_agent.os.full: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-agent-os-full description: Operating system name, including the version or code name. example: Mac OS Mojave flat_name: user_agent.os.full - ignore_above: 1024 level: extended multi_fields: - flat_name: user_agent.os.full.text @@ -8902,7 +9001,7 @@ user_agent.os.full: normalize: [] original_fieldset: os short: Operating system name, including the version or code name. - type: keyword + type: wildcard user_agent.os.kernel: dashed_name: user-agent-os-kernel description: Operating system kernel version as a raw string. @@ -8916,11 +9015,12 @@ user_agent.os.kernel: short: Operating system kernel version as a raw string. type: keyword user_agent.os.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-agent-os-name description: Operating system name, without the version. example: Mac OS X flat_name: user_agent.os.name - ignore_above: 1024 level: extended multi_fields: - flat_name: user_agent.os.name.text @@ -8931,7 +9031,7 @@ user_agent.os.name: normalize: [] original_fieldset: os short: Operating system name, without the version. - type: keyword + type: wildcard user_agent.os.platform: dashed_name: user-agent-os-platform description: Operating system platform (such centos, ubuntu, windows). diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index eaa283a9a0..50c4915485 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -8,6 +8,8 @@ agent: event happened or the measurement was taken.' fields: agent.build.original: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: agent-build-original description: 'Extended build information for the agent. @@ -16,12 +18,11 @@ agent: example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC] flat_name: agent.build.original - ignore_above: 1024 level: core name: build.original normalize: [] short: Extended build information for the agent. - type: keyword + type: wildcard agent.ephemeral_id: dashed_name: agent-ephemeral-id description: 'Ephemeral identifier of this agent (if one exists). @@ -119,11 +120,12 @@ as: short: Unique number allocated to the autonomous system. type: long as.organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: as-organization-name description: Organization name. example: Google LLC flat_name: as.organization.name - ignore_above: 1024 level: extended multi_fields: - flat_name: as.organization.name.text @@ -133,7 +135,7 @@ as: name: organization.name normalize: [] short: Organization name. - type: keyword + type: wildcard group: 2 name: as prefix: as. @@ -275,11 +277,12 @@ client: short: Unique number allocated to the autonomous system. type: long client.as.organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: client-as-organization-name description: Organization name. example: Google LLC flat_name: client.as.organization.name - ignore_above: 1024 level: extended multi_fields: - flat_name: client.as.organization.name.text @@ -290,7 +293,7 @@ client: normalize: [] original_fieldset: as short: Organization name. - type: keyword + type: wildcard client.bytes: dashed_name: client-bytes description: Bytes sent from the client to the server. @@ -303,15 +306,16 @@ client: short: Bytes sent from the client to the server. type: long client.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: client-domain description: Client domain. flat_name: client.domain - ignore_above: 1024 level: core name: domain normalize: [] short: Client domain. - type: keyword + type: wildcard client.geo.city_name: dashed_name: client-geo-city-name description: City name. @@ -372,6 +376,8 @@ client: short: Longitude and latitude. type: geo_point client.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: client-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -382,13 +388,12 @@ client: Not typically used in automated geolocation.' example: boston-dc flat_name: client.geo.name - ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: geo short: User-defined description of a location. - type: keyword + type: wildcard client.geo.region_iso_code: dashed_name: client-geo-region-iso-code description: Region ISO code. @@ -478,6 +483,8 @@ client: short: Port of the client. type: long client.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: client-registered-domain description: 'The highest registered client domain, stripped of the subdomain. @@ -488,12 +495,11 @@ client: the last two labels will not work well for TLDs such as "co.uk".' example: example.com flat_name: client.registered_domain - ignore_above: 1024 level: extended name: registered_domain normalize: [] short: The highest registered client domain, stripped of the subdomain. - type: keyword + type: wildcard client.subdomain: dashed_name: client-subdomain description: 'The subdomain portion of a fully qualified domain name includes @@ -543,22 +549,24 @@ client: short: Name of the directory the user is a member of. type: keyword client.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: client-user-email description: User email address. flat_name: client.user.email - ignore_above: 1024 level: extended name: email normalize: [] original_fieldset: user short: User email address. - type: keyword + type: wildcard client.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: client-user-full-name description: User's full name, if available. example: Albert Einstein flat_name: client.user.full_name - ignore_above: 1024 level: extended multi_fields: - flat_name: client.user.full_name.text @@ -569,7 +577,7 @@ client: normalize: [] original_fieldset: user short: User's full name, if available. - type: keyword + type: wildcard client.user.group.domain: dashed_name: client-user-group-domain description: 'Name of the directory the group is a member of. @@ -632,11 +640,12 @@ client: short: Unique identifier of the user. type: keyword client.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: client-user-name description: Short name or login of the user. example: albert flat_name: client.user.name - ignore_above: 1024 level: core multi_fields: - flat_name: client.user.name.text @@ -647,7 +656,7 @@ client: normalize: [] original_fieldset: user short: Short name or login of the user. - type: keyword + type: wildcard client.user.roles: dashed_name: client-user-roles description: Array of user roles at the time of the event. @@ -1013,11 +1022,12 @@ destination: short: Unique number allocated to the autonomous system. type: long destination.as.organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: destination-as-organization-name description: Organization name. example: Google LLC flat_name: destination.as.organization.name - ignore_above: 1024 level: extended multi_fields: - flat_name: destination.as.organization.name.text @@ -1028,7 +1038,7 @@ destination: normalize: [] original_fieldset: as short: Organization name. - type: keyword + type: wildcard destination.bytes: dashed_name: destination-bytes description: Bytes sent from the destination to the source. @@ -1041,15 +1051,16 @@ destination: short: Bytes sent from the destination to the source. type: long destination.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: destination-domain description: Destination domain. flat_name: destination.domain - ignore_above: 1024 level: core name: domain normalize: [] short: Destination domain. - type: keyword + type: wildcard destination.geo.city_name: dashed_name: destination-geo-city-name description: City name. @@ -1110,6 +1121,8 @@ destination: short: Longitude and latitude. type: geo_point destination.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: destination-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -1120,13 +1133,12 @@ destination: Not typically used in automated geolocation.' example: boston-dc flat_name: destination.geo.name - ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: geo short: User-defined description of a location. - type: keyword + type: wildcard destination.geo.region_iso_code: dashed_name: destination-geo-region-iso-code description: Region ISO code. @@ -1215,6 +1227,8 @@ destination: short: Port of the destination. type: long destination.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: destination-registered-domain description: 'The highest registered destination domain, stripped of the subdomain. @@ -1225,12 +1239,11 @@ destination: the last two labels will not work well for TLDs such as "co.uk".' example: example.com flat_name: destination.registered_domain - ignore_above: 1024 level: extended name: registered_domain normalize: [] short: The highest registered destination domain, stripped of the subdomain. - type: keyword + type: wildcard destination.subdomain: dashed_name: destination-subdomain description: 'The subdomain portion of a fully qualified domain name includes @@ -1280,22 +1293,24 @@ destination: short: Name of the directory the user is a member of. type: keyword destination.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: destination-user-email description: User email address. flat_name: destination.user.email - ignore_above: 1024 level: extended name: email normalize: [] original_fieldset: user short: User email address. - type: keyword + type: wildcard destination.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: destination-user-full-name description: User's full name, if available. example: Albert Einstein flat_name: destination.user.full_name - ignore_above: 1024 level: extended multi_fields: - flat_name: destination.user.full_name.text @@ -1306,7 +1321,7 @@ destination: normalize: [] original_fieldset: user short: User's full name, if available. - type: keyword + type: wildcard destination.user.group.domain: dashed_name: destination-user-group-domain description: 'Name of the directory the group is a member of. @@ -1369,11 +1384,12 @@ destination: short: Unique identifier of the user. type: keyword destination.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: destination-user-name description: Short name or login of the user. example: albert flat_name: destination.user.name - ignore_above: 1024 level: core multi_fields: - flat_name: destination.user.name.text @@ -1384,7 +1400,7 @@ destination: normalize: [] original_fieldset: user short: Short name or login of the user. - type: keyword + type: wildcard destination.user.roles: dashed_name: destination-user-roles description: Array of user roles at the time of the event. @@ -1633,17 +1649,18 @@ dll: short: A hash of the imports in a PE file. type: keyword dll.pe.original_file_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: dll-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE flat_name: dll.pe.original_file_name - ignore_above: 1024 level: extended name: original_file_name normalize: [] original_fieldset: pe short: Internal name of the file, provided at compile-time. - type: keyword + type: wildcard dll.pe.product: dashed_name: dll-pe-product description: Internal product name of the file, provided at compile-time. @@ -1715,18 +1732,19 @@ dns: short: The class of DNS data contained in this resource record. type: keyword dns.answers.data: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: dns-answers-data description: 'The data describing the resource. The meaning of this data depends on the type and class of the resource record.' example: 10.10.10.10 flat_name: dns.answers.data - ignore_above: 1024 level: extended name: answers.data normalize: [] short: The data describing the resource. - type: keyword + type: wildcard dns.answers.name: dashed_name: dns-answers-name description: 'The domain name to which this resource record pertains. @@ -1818,6 +1836,8 @@ dns: short: The class of records being queried. type: keyword dns.question.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: dns-question-name description: 'The name being queried. @@ -1827,12 +1847,11 @@ dns: feeds should be converted to \t, \r, and \n respectively.' example: www.example.com flat_name: dns.question.name - ignore_above: 1024 level: extended name: question.name normalize: [] short: The name being queried. - type: keyword + type: wildcard dns.question.registered_domain: dashed_name: dns-question-registered-domain description: 'The highest registered domain, stripped of the subdomain. @@ -2006,12 +2025,11 @@ error: short: Error message. type: text error.stack_trace: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: error-stack-trace description: The stack trace of this error in plain text. - doc_values: false flat_name: error.stack_trace - ignore_above: 1024 - index: false level: extended multi_fields: - flat_name: error.stack_trace.text @@ -2021,18 +2039,19 @@ error: name: stack_trace normalize: [] short: The stack trace of this error in plain text. - type: keyword + type: wildcard error.type: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: error-type description: The type of the error, for example the class name of the exception. example: java.lang.NullPointerException flat_name: error.type - ignore_above: 1024 level: extended name: type normalize: [] short: The type of the error, for example the class name of the exception. - type: keyword + type: wildcard group: 2 name: error prefix: error. @@ -2472,7 +2491,8 @@ event: description: 'Raw text message of entire event. Used to demonstrate log integrity. This field is not indexed and doc_values are disabled. It cannot be searched, - but it can be retrieved from `_source`.' + but it can be retrieved from `_source`. If users wish to override this and + index this field, consider using the wildcard data type.' doc_values: false example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 @@ -2960,17 +2980,18 @@ file: short: Device that is the source of the file. type: keyword file.directory: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: file-directory description: Directory where the file is located. It should include the drive letter, when appropriate. example: /home/alice flat_name: file.directory - ignore_above: 1024 level: extended name: directory normalize: [] short: Directory where the file is located. - type: keyword + type: wildcard file.drive_letter: dashed_name: file-drive-letter description: 'Drive letter where the file is located. This field is only relevant @@ -3132,12 +3153,13 @@ file: short: File owner's username. type: keyword file.path: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: file-path description: Full path to the file, including the file name. It should include the drive letter, when appropriate. example: /home/alice/example.png flat_name: file.path - ignore_above: 1024 level: extended multi_fields: - flat_name: file.path.text @@ -3147,7 +3169,7 @@ file: name: path normalize: [] short: Full path to the file, including the file name. - type: keyword + type: wildcard file.pe.architecture: dashed_name: file-pe-architecture description: CPU architecture target for the file. @@ -3213,17 +3235,18 @@ file: short: A hash of the imports in a PE file. type: keyword file.pe.original_file_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: file-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE flat_name: file.pe.original_file_name - ignore_above: 1024 level: extended name: original_file_name normalize: [] original_fieldset: pe short: Internal name of the file, provided at compile-time. - type: keyword + type: wildcard file.pe.product: dashed_name: file-pe-product description: Internal product name of the file, provided at compile-time. @@ -3249,10 +3272,11 @@ file: short: File size in bytes. type: long file.target_path: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: file-target-path description: Target path for symlinks. flat_name: file.target_path - ignore_above: 1024 level: extended multi_fields: - flat_name: file.target_path.text @@ -3262,7 +3286,7 @@ file: name: target_path normalize: [] short: Target path for symlinks. - type: keyword + type: wildcard file.type: dashed_name: file-type description: File type (file, dir, or symlink). @@ -3327,18 +3351,19 @@ file: short: List of country (C) codes type: keyword file.x509.issuer.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: file-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA flat_name: file.x509.issuer.distinguished_name - ignore_above: 1024 level: extended name: issuer.distinguished_name normalize: [] original_fieldset: x509 short: Distinguished name (DN) of issuing certificate authority. - type: keyword + type: wildcard file.x509.issuer.locality: dashed_name: file-x509-issuer-locality description: List of locality names (L) @@ -3517,17 +3542,18 @@ file: short: List of country (C) code type: keyword file.x509.subject.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: file-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net flat_name: file.x509.subject.distinguished_name - ignore_above: 1024 level: extended name: subject.distinguished_name normalize: [] original_fieldset: x509 short: Distinguished name (DN) of the certificate subject entity. - type: keyword + type: wildcard file.x509.subject.locality: dashed_name: file-x509-subject-locality description: List of locality names (L) @@ -3677,6 +3703,8 @@ geo: short: Longitude and latitude. type: geo_point geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -3687,12 +3715,11 @@ geo: Not typically used in automated geolocation.' example: boston-dc flat_name: geo.name - ignore_above: 1024 level: extended name: name normalize: [] short: User-defined description of a location. - type: keyword + type: wildcard geo.region_iso_code: dashed_name: geo-region-iso-code description: Region ISO code. @@ -3948,6 +3975,8 @@ host: short: Longitude and latitude. type: geo_point host.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: host-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -3958,13 +3987,12 @@ host: Not typically used in automated geolocation.' example: boston-dc flat_name: host.geo.name - ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: geo short: User-defined description of a location. - type: keyword + type: wildcard host.geo.region_iso_code: dashed_name: host-geo-region-iso-code description: Region ISO code. @@ -3990,17 +4018,18 @@ host: short: Region name. type: keyword host.hostname: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: host-hostname description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' flat_name: host.hostname - ignore_above: 1024 level: core name: hostname normalize: [] short: Hostname of the host. - type: keyword + type: wildcard host.id: dashed_name: host-id description: 'Unique host id. @@ -4063,11 +4092,12 @@ host: short: OS family (such as redhat, debian, freebsd, windows). type: keyword host.os.full: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: host-os-full description: Operating system name, including the version or code name. example: Mac OS Mojave flat_name: host.os.full - ignore_above: 1024 level: extended multi_fields: - flat_name: host.os.full.text @@ -4078,7 +4108,7 @@ host: normalize: [] original_fieldset: os short: Operating system name, including the version or code name. - type: keyword + type: wildcard host.os.kernel: dashed_name: host-os-kernel description: Operating system kernel version as a raw string. @@ -4092,11 +4122,12 @@ host: short: Operating system kernel version as a raw string. type: keyword host.os.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: host-os-name description: Operating system name, without the version. example: Mac OS X flat_name: host.os.name - ignore_above: 1024 level: extended multi_fields: - flat_name: host.os.name.text @@ -4107,7 +4138,7 @@ host: normalize: [] original_fieldset: os short: Operating system name, without the version. - type: keyword + type: wildcard host.os.platform: dashed_name: host-os-platform description: Operating system platform (such centos, ubuntu, windows). @@ -4190,22 +4221,24 @@ host: short: Name of the directory the user is a member of. type: keyword host.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: host-user-email description: User email address. flat_name: host.user.email - ignore_above: 1024 level: extended name: email normalize: [] original_fieldset: user short: User email address. - type: keyword + type: wildcard host.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: host-user-full-name description: User's full name, if available. example: Albert Einstein flat_name: host.user.full_name - ignore_above: 1024 level: extended multi_fields: - flat_name: host.user.full_name.text @@ -4216,7 +4249,7 @@ host: normalize: [] original_fieldset: user short: User's full name, if available. - type: keyword + type: wildcard host.user.group.domain: dashed_name: host-user-group-domain description: 'Name of the directory the group is a member of. @@ -4279,11 +4312,12 @@ host: short: Unique identifier of the user. type: keyword host.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: host-user-name description: Short name or login of the user. example: albert flat_name: host.user.name - ignore_above: 1024 level: core multi_fields: - flat_name: host.user.name.text @@ -4294,7 +4328,7 @@ host: normalize: [] original_fieldset: user short: Short name or login of the user. - type: keyword + type: wildcard host.user.roles: dashed_name: host-user-roles description: Array of user roles at the time of the event. @@ -4344,11 +4378,12 @@ http: short: Size in bytes of the request body. type: long http.request.body.content: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: http-request-body-content description: The full HTTP request body. example: Hello world flat_name: http.request.body.content - ignore_above: 1024 level: extended multi_fields: - flat_name: http.request.body.content.text @@ -4358,7 +4393,7 @@ http: name: request.body.content normalize: [] short: The full HTTP request body. - type: keyword + type: wildcard http.request.bytes: dashed_name: http-request-bytes description: Total size in bytes of the request (body and headers). @@ -4406,16 +4441,17 @@ http: short: Mime type of the body of the request. type: keyword http.request.referrer: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: http-request-referrer description: Referrer for this HTTP request. example: https://blog.example.com/ flat_name: http.request.referrer - ignore_above: 1024 level: extended name: request.referrer normalize: [] short: Referrer for this HTTP request. - type: keyword + type: wildcard http.response.body.bytes: dashed_name: http-response-body-bytes description: Size in bytes of the response body. @@ -4428,11 +4464,12 @@ http: short: Size in bytes of the response body. type: long http.response.body.content: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: http-response-body-content description: The full HTTP response body. example: Hello world flat_name: http.response.body.content - ignore_above: 1024 level: extended multi_fields: - flat_name: http.response.body.content.text @@ -4442,7 +4479,7 @@ http: name: response.body.content normalize: [] short: The full HTTP response body. - type: keyword + type: wildcard http.response.bytes: dashed_name: http-response-bytes description: Total size in bytes of the response (body and headers). @@ -4566,6 +4603,8 @@ log: but rather in `event.*` or in other ECS fields.' fields: log.file.path: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: log-file-path description: 'Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. @@ -4573,12 +4612,11 @@ log: If the event wasn''t read from a log file, do not populate this field.' example: /var/log/fun-times.log flat_name: log.file.path - ignore_above: 1024 level: extended name: file.path normalize: [] short: Full path to the log file this event came from. - type: keyword + type: wildcard log.level: dashed_name: log-level description: 'Original log level of the log event. @@ -4597,17 +4635,18 @@ log: short: Log level of the log event. type: keyword log.logger: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: log-logger description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. example: org.elasticsearch.bootstrap.Bootstrap flat_name: log.logger - ignore_above: 1024 level: core name: logger normalize: [] short: Name of the logger. - type: keyword + type: wildcard log.origin.file.line: dashed_name: log-origin-file-line description: The line number of the file containing the source code which originated @@ -5159,6 +5198,8 @@ observer: short: Longitude and latitude. type: geo_point observer.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: observer-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -5169,13 +5210,12 @@ observer: Not typically used in automated geolocation.' example: boston-dc flat_name: observer.geo.name - ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: geo short: User-defined description of a location. - type: keyword + type: wildcard observer.geo.region_iso_code: dashed_name: observer-geo-region-iso-code description: Region ISO code. @@ -5347,11 +5387,12 @@ observer: short: OS family (such as redhat, debian, freebsd, windows). type: keyword observer.os.full: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: observer-os-full description: Operating system name, including the version or code name. example: Mac OS Mojave flat_name: observer.os.full - ignore_above: 1024 level: extended multi_fields: - flat_name: observer.os.full.text @@ -5362,7 +5403,7 @@ observer: normalize: [] original_fieldset: os short: Operating system name, including the version or code name. - type: keyword + type: wildcard observer.os.kernel: dashed_name: observer-os-kernel description: Operating system kernel version as a raw string. @@ -5376,11 +5417,12 @@ observer: short: Operating system kernel version as a raw string. type: keyword observer.os.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: observer-os-name description: Operating system name, without the version. example: Mac OS X flat_name: observer.os.name - ignore_above: 1024 level: extended multi_fields: - flat_name: observer.os.name.text @@ -5391,7 +5433,7 @@ observer: normalize: [] original_fieldset: os short: Operating system name, without the version. - type: keyword + type: wildcard observer.os.platform: dashed_name: observer-os-platform description: Operating system platform (such centos, ubuntu, windows). @@ -5542,10 +5584,11 @@ organization: short: Unique identifier for the organization. type: keyword organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: organization-name description: Organization name. flat_name: organization.name - ignore_above: 1024 level: extended multi_fields: - flat_name: organization.name.text @@ -5555,7 +5598,7 @@ organization: name: name normalize: [] short: Organization name. - type: keyword + type: wildcard group: 2 name: organization prefix: organization. @@ -5577,11 +5620,12 @@ os: short: OS family (such as redhat, debian, freebsd, windows). type: keyword os.full: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: os-full description: Operating system name, including the version or code name. example: Mac OS Mojave flat_name: os.full - ignore_above: 1024 level: extended multi_fields: - flat_name: os.full.text @@ -5591,7 +5635,7 @@ os: name: full normalize: [] short: Operating system name, including the version or code name. - type: keyword + type: wildcard os.kernel: dashed_name: os-kernel description: Operating system kernel version as a raw string. @@ -5604,11 +5648,12 @@ os: short: Operating system kernel version as a raw string. type: keyword os.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: os-name description: Operating system name, without the version. example: Mac OS X flat_name: os.name - ignore_above: 1024 level: extended multi_fields: - flat_name: os.name.text @@ -5618,7 +5663,7 @@ os: name: name normalize: [] short: Operating system name, without the version. - type: keyword + type: wildcard os.platform: dashed_name: os-platform description: Operating system platform (such centos, ubuntu, windows). @@ -5904,16 +5949,17 @@ pe: short: A hash of the imports in a PE file. type: keyword pe.original_file_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE flat_name: pe.original_file_name - ignore_above: 1024 level: extended name: original_file_name normalize: [] short: Internal name of the file, provided at compile-time. - type: keyword + type: wildcard pe.product: dashed_name: pe-product description: Internal product name of the file, provided at compile-time. @@ -6048,6 +6094,8 @@ process: content. type: boolean process.command_line: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-command-line description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. @@ -6055,7 +6103,6 @@ process: Some arguments may be filtered to protect sensitive information.' example: /usr/bin/ssh -l user 10.0.0.16 flat_name: process.command_line - ignore_above: 1024 level: extended multi_fields: - flat_name: process.command_line.text @@ -6065,7 +6112,7 @@ process: name: command_line normalize: [] short: Full command line that started the process. - type: keyword + type: wildcard process.entity_id: dashed_name: process-entity-id description: 'Unique identifier for the process. @@ -6086,11 +6133,12 @@ process: short: Unique identifier for the process. type: keyword process.executable: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-executable description: Absolute path to the process executable. example: /usr/bin/ssh flat_name: process.executable - ignore_above: 1024 level: extended multi_fields: - flat_name: process.executable.text @@ -6100,7 +6148,7 @@ process: name: executable normalize: [] short: Absolute path to the process executable. - type: keyword + type: wildcard process.exit_code: dashed_name: process-exit-code description: 'The exit code of the process, if this is a termination event. @@ -6159,13 +6207,14 @@ process: short: SHA512 hash. type: keyword process.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-name description: 'Process name. Sometimes called program name or similar.' example: ssh flat_name: process.name - ignore_above: 1024 level: extended multi_fields: - flat_name: process.name.text @@ -6175,7 +6224,7 @@ process: name: name normalize: [] short: Process name. - type: keyword + type: wildcard process.parent.args: dashed_name: process-parent-args description: 'Array of process arguments, starting with the absolute path to @@ -6276,6 +6325,8 @@ process: content. type: boolean process.parent.command_line: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-parent-command-line description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. @@ -6283,7 +6334,6 @@ process: Some arguments may be filtered to protect sensitive information.' example: /usr/bin/ssh -l user 10.0.0.16 flat_name: process.parent.command_line - ignore_above: 1024 level: extended multi_fields: - flat_name: process.parent.command_line.text @@ -6294,7 +6344,7 @@ process: normalize: [] original_fieldset: process short: Full command line that started the process. - type: keyword + type: wildcard process.parent.entity_id: dashed_name: process-parent-entity-id description: 'Unique identifier for the process. @@ -6316,11 +6366,12 @@ process: short: Unique identifier for the process. type: keyword process.parent.executable: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-parent-executable description: Absolute path to the process executable. example: /usr/bin/ssh flat_name: process.parent.executable - ignore_above: 1024 level: extended multi_fields: - flat_name: process.parent.executable.text @@ -6331,7 +6382,7 @@ process: normalize: [] original_fieldset: process short: Absolute path to the process executable. - type: keyword + type: wildcard process.parent.exit_code: dashed_name: process-parent-exit-code description: 'The exit code of the process, if this is a termination event. @@ -6391,13 +6442,14 @@ process: short: SHA512 hash. type: keyword process.parent.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-parent-name description: 'Process name. Sometimes called program name or similar.' example: ssh flat_name: process.parent.name - ignore_above: 1024 level: extended multi_fields: - flat_name: process.parent.name.text @@ -6408,7 +6460,7 @@ process: normalize: [] original_fieldset: process short: Process name. - type: keyword + type: wildcard process.parent.pe.architecture: dashed_name: process-parent-pe-architecture description: CPU architecture target for the file. @@ -6474,17 +6526,18 @@ process: short: A hash of the imports in a PE file. type: keyword process.parent.pe.original_file_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-parent-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE flat_name: process.parent.pe.original_file_name - ignore_above: 1024 level: extended name: original_file_name normalize: [] original_fieldset: pe short: Internal name of the file, provided at compile-time. - type: keyword + type: wildcard process.parent.pe.product: dashed_name: process-parent-pe-product description: Internal product name of the file, provided at compile-time. @@ -6556,25 +6609,27 @@ process: short: Thread ID. type: long process.parent.thread.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-parent-thread-name description: Thread name. example: thread-0 flat_name: process.parent.thread.name - ignore_above: 1024 level: extended name: thread.name normalize: [] original_fieldset: process short: Thread name. - type: keyword + type: wildcard process.parent.title: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-parent-title description: 'Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.' flat_name: process.parent.title - ignore_above: 1024 level: extended multi_fields: - flat_name: process.parent.title.text @@ -6585,7 +6640,7 @@ process: normalize: [] original_fieldset: process short: Process title. - type: keyword + type: wildcard process.parent.uptime: dashed_name: process-parent-uptime description: Seconds the process has been up. @@ -6598,11 +6653,12 @@ process: short: Seconds the process has been up. type: long process.parent.working_directory: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-parent-working-directory description: The working directory of the process. example: /home/alice flat_name: process.parent.working_directory - ignore_above: 1024 level: extended multi_fields: - flat_name: process.parent.working_directory.text @@ -6613,7 +6669,7 @@ process: normalize: [] original_fieldset: process short: The working directory of the process. - type: keyword + type: wildcard process.pe.architecture: dashed_name: process-pe-architecture description: CPU architecture target for the file. @@ -6679,17 +6735,18 @@ process: short: A hash of the imports in a PE file. type: keyword process.pe.original_file_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE flat_name: process.pe.original_file_name - ignore_above: 1024 level: extended name: original_file_name normalize: [] original_fieldset: pe short: Internal name of the file, provided at compile-time. - type: keyword + type: wildcard process.pe.product: dashed_name: process-pe-product description: Internal product name of the file, provided at compile-time. @@ -6756,24 +6813,26 @@ process: short: Thread ID. type: long process.thread.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-thread-name description: Thread name. example: thread-0 flat_name: process.thread.name - ignore_above: 1024 level: extended name: thread.name normalize: [] short: Thread name. - type: keyword + type: wildcard process.title: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-title description: 'Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.' flat_name: process.title - ignore_above: 1024 level: extended multi_fields: - flat_name: process.title.text @@ -6783,7 +6842,7 @@ process: name: title normalize: [] short: Process title. - type: keyword + type: wildcard process.uptime: dashed_name: process-uptime description: Seconds the process has been up. @@ -6795,11 +6854,12 @@ process: short: Seconds the process has been up. type: long process.working_directory: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-working-directory description: The working directory of the process. example: /home/alice flat_name: process.working_directory - ignore_above: 1024 level: extended multi_fields: - flat_name: process.working_directory.text @@ -6809,7 +6869,7 @@ process: name: working_directory normalize: [] short: The working directory of the process. - type: keyword + type: wildcard group: 2 name: process nestings: @@ -6859,6 +6919,8 @@ registry: short: Original bytes written with base64 encoding. type: keyword registry.data.strings: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: registry-data-strings description: 'Content when writing string types. @@ -6869,13 +6931,12 @@ registry: be populated with the decimal representation (e.g `"1"`).' example: '["C:\rta\red_ttp\bin\myapp.exe"]' flat_name: registry.data.strings - ignore_above: 1024 level: core name: data.strings normalize: - array short: List of strings representing what was written to the registry. - type: keyword + type: wildcard registry.data.type: dashed_name: registry-data-type description: Standard registry type for encoding contents @@ -6899,28 +6960,30 @@ registry: short: Abbreviated name for the hive. type: keyword registry.key: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: registry-key description: Hive-relative path of keys. example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe flat_name: registry.key - ignore_above: 1024 level: core name: key normalize: [] short: Hive-relative path of keys. - type: keyword + type: wildcard registry.path: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: registry-path description: Full path, including hive, key and value example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger flat_name: registry.path - ignore_above: 1024 level: core name: path normalize: [] short: Full path, including hive, key and value - type: keyword + type: wildcard registry.value: dashed_name: registry-value description: Name of the value written. @@ -7185,11 +7248,12 @@ server: short: Unique number allocated to the autonomous system. type: long server.as.organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: server-as-organization-name description: Organization name. example: Google LLC flat_name: server.as.organization.name - ignore_above: 1024 level: extended multi_fields: - flat_name: server.as.organization.name.text @@ -7200,7 +7264,7 @@ server: normalize: [] original_fieldset: as short: Organization name. - type: keyword + type: wildcard server.bytes: dashed_name: server-bytes description: Bytes sent from the server to the client. @@ -7213,15 +7277,16 @@ server: short: Bytes sent from the server to the client. type: long server.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: server-domain description: Server domain. flat_name: server.domain - ignore_above: 1024 level: core name: domain normalize: [] short: Server domain. - type: keyword + type: wildcard server.geo.city_name: dashed_name: server-geo-city-name description: City name. @@ -7282,6 +7347,8 @@ server: short: Longitude and latitude. type: geo_point server.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: server-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -7292,13 +7359,12 @@ server: Not typically used in automated geolocation.' example: boston-dc flat_name: server.geo.name - ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: geo short: User-defined description of a location. - type: keyword + type: wildcard server.geo.region_iso_code: dashed_name: server-geo-region-iso-code description: Region ISO code. @@ -7388,6 +7454,8 @@ server: short: Port of the server. type: long server.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: server-registered-domain description: 'The highest registered server domain, stripped of the subdomain. @@ -7398,12 +7466,11 @@ server: the last two labels will not work well for TLDs such as "co.uk".' example: example.com flat_name: server.registered_domain - ignore_above: 1024 level: extended name: registered_domain normalize: [] short: The highest registered server domain, stripped of the subdomain. - type: keyword + type: wildcard server.subdomain: dashed_name: server-subdomain description: 'The subdomain portion of a fully qualified domain name includes @@ -7453,22 +7520,24 @@ server: short: Name of the directory the user is a member of. type: keyword server.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: server-user-email description: User email address. flat_name: server.user.email - ignore_above: 1024 level: extended name: email normalize: [] original_fieldset: user short: User email address. - type: keyword + type: wildcard server.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: server-user-full-name description: User's full name, if available. example: Albert Einstein flat_name: server.user.full_name - ignore_above: 1024 level: extended multi_fields: - flat_name: server.user.full_name.text @@ -7479,7 +7548,7 @@ server: normalize: [] original_fieldset: user short: User's full name, if available. - type: keyword + type: wildcard server.user.group.domain: dashed_name: server-user-group-domain description: 'Name of the directory the group is a member of. @@ -7542,11 +7611,12 @@ server: short: Unique identifier of the user. type: keyword server.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: server-user-name description: Short name or login of the user. example: albert flat_name: server.user.name - ignore_above: 1024 level: core multi_fields: - flat_name: server.user.name.text @@ -7557,7 +7627,7 @@ server: normalize: [] original_fieldset: user short: Short name or login of the user. - type: keyword + type: wildcard server.user.roles: dashed_name: server-user-roles description: Array of user roles at the time of the event. @@ -7755,11 +7825,12 @@ source: short: Unique number allocated to the autonomous system. type: long source.as.organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: source-as-organization-name description: Organization name. example: Google LLC flat_name: source.as.organization.name - ignore_above: 1024 level: extended multi_fields: - flat_name: source.as.organization.name.text @@ -7770,7 +7841,7 @@ source: normalize: [] original_fieldset: as short: Organization name. - type: keyword + type: wildcard source.bytes: dashed_name: source-bytes description: Bytes sent from the source to the destination. @@ -7783,15 +7854,16 @@ source: short: Bytes sent from the source to the destination. type: long source.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: source-domain description: Source domain. flat_name: source.domain - ignore_above: 1024 level: core name: domain normalize: [] short: Source domain. - type: keyword + type: wildcard source.geo.city_name: dashed_name: source-geo-city-name description: City name. @@ -7852,6 +7924,8 @@ source: short: Longitude and latitude. type: geo_point source.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: source-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -7862,13 +7936,12 @@ source: Not typically used in automated geolocation.' example: boston-dc flat_name: source.geo.name - ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: geo short: User-defined description of a location. - type: keyword + type: wildcard source.geo.region_iso_code: dashed_name: source-geo-region-iso-code description: Region ISO code. @@ -7958,6 +8031,8 @@ source: short: Port of the source. type: long source.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: source-registered-domain description: 'The highest registered source domain, stripped of the subdomain. @@ -7968,12 +8043,11 @@ source: the last two labels will not work well for TLDs such as "co.uk".' example: example.com flat_name: source.registered_domain - ignore_above: 1024 level: extended name: registered_domain normalize: [] short: The highest registered source domain, stripped of the subdomain. - type: keyword + type: wildcard source.subdomain: dashed_name: source-subdomain description: 'The subdomain portion of a fully qualified domain name includes @@ -8023,22 +8097,24 @@ source: short: Name of the directory the user is a member of. type: keyword source.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: source-user-email description: User email address. flat_name: source.user.email - ignore_above: 1024 level: extended name: email normalize: [] original_fieldset: user short: User email address. - type: keyword + type: wildcard source.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: source-user-full-name description: User's full name, if available. example: Albert Einstein flat_name: source.user.full_name - ignore_above: 1024 level: extended multi_fields: - flat_name: source.user.full_name.text @@ -8049,7 +8125,7 @@ source: normalize: [] original_fieldset: user short: User's full name, if available. - type: keyword + type: wildcard source.user.group.domain: dashed_name: source-user-group-domain description: 'Name of the directory the group is a member of. @@ -8112,11 +8188,12 @@ source: short: Unique identifier of the user. type: keyword source.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: source-user-name description: Short name or login of the user. example: albert flat_name: source.user.name - ignore_above: 1024 level: core multi_fields: - flat_name: source.user.name.text @@ -8127,7 +8204,7 @@ source: normalize: [] original_fieldset: user short: Short name or login of the user. - type: keyword + type: wildcard source.user.roles: dashed_name: source-user-roles description: Array of user roles at the time of the event. @@ -8405,18 +8482,19 @@ tls: of certificate offered by the client. type: keyword tls.client.issuer: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: tls-client-issuer description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com flat_name: tls.client.issuer - ignore_above: 1024 level: extended name: client.issuer normalize: [] short: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. - type: keyword + type: wildcard tls.client.ja3: dashed_name: tls-client-ja3 description: A hash that identifies clients based on how they perform an SSL/TLS @@ -8466,18 +8544,19 @@ tls: short: Hostname the client is trying to connect to. Also called the SNI. type: keyword tls.client.subject: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: tls-client-subject description: Distinguished name of subject of the x.509 certificate presented by the client. example: CN=myclient, OU=Documentation Team, DC=example, DC=com flat_name: tls.client.subject - ignore_above: 1024 level: extended name: client.subject normalize: [] short: Distinguished name of subject of the x.509 certificate presented by the client. - type: keyword + type: wildcard tls.client.supported_ciphers: dashed_name: tls-client-supported-ciphers description: Array of ciphers offered by the client during the client hello. @@ -8533,18 +8612,19 @@ tls: short: List of country (C) codes type: keyword tls.client.x509.issuer.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: tls-client-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA flat_name: tls.client.x509.issuer.distinguished_name - ignore_above: 1024 level: extended name: issuer.distinguished_name normalize: [] original_fieldset: x509 short: Distinguished name (DN) of issuing certificate authority. - type: keyword + type: wildcard tls.client.x509.issuer.locality: dashed_name: tls-client-x509-issuer-locality description: List of locality names (L) @@ -8723,17 +8803,18 @@ tls: short: List of country (C) code type: keyword tls.client.x509.subject.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: tls-client-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net flat_name: tls.client.x509.subject.distinguished_name - ignore_above: 1024 level: extended name: subject.distinguished_name normalize: [] original_fieldset: x509 short: Distinguished name (DN) of the certificate subject entity. - type: keyword + type: wildcard tls.client.x509.subject.locality: dashed_name: tls-client-x509-subject-locality description: List of locality names (L) @@ -8914,17 +8995,18 @@ tls: of certificate offered by the server. type: keyword tls.server.issuer: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: tls-server-issuer description: Subject of the issuer of the x.509 certificate presented by the server. example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com flat_name: tls.server.issuer - ignore_above: 1024 level: extended name: server.issuer normalize: [] short: Subject of the issuer of the x.509 certificate presented by the server. - type: keyword + type: wildcard tls.server.ja3s: dashed_name: tls-server-ja3s description: A hash that identifies servers based on how they perform an SSL/TLS @@ -8961,16 +9043,17 @@ tls: short: Timestamp indicating when server certificate is first considered valid. type: date tls.server.subject: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: tls-server-subject description: Subject of the x.509 certificate presented by the server. example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com flat_name: tls.server.subject - ignore_above: 1024 level: extended name: server.subject normalize: [] short: Subject of the x.509 certificate presented by the server. - type: keyword + type: wildcard tls.server.x509.alternative_names: dashed_name: tls-server-x509-alternative-names description: List of subject alternative names (SAN). Name types vary by certificate @@ -9013,18 +9096,19 @@ tls: short: List of country (C) codes type: keyword tls.server.x509.issuer.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: tls-server-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA flat_name: tls.server.x509.issuer.distinguished_name - ignore_above: 1024 level: extended name: issuer.distinguished_name normalize: [] original_fieldset: x509 short: Distinguished name (DN) of issuing certificate authority. - type: keyword + type: wildcard tls.server.x509.issuer.locality: dashed_name: tls-server-x509-issuer-locality description: List of locality names (L) @@ -9203,17 +9287,18 @@ tls: short: List of country (C) code type: keyword tls.server.x509.subject.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: tls-server-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net flat_name: tls.server.x509.subject.distinguished_name - ignore_above: 1024 level: extended name: subject.distinguished_name normalize: [] original_fieldset: x509 short: Distinguished name (DN) of the certificate subject entity. - type: keyword + type: wildcard tls.server.x509.subject.locality: dashed_name: tls-server-x509-subject-locality description: List of locality names (L) @@ -9379,6 +9464,8 @@ url: the breaking down into scheme, domain, path, and so on. fields: url.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: url-domain description: 'Domain of the url, such as "www.elastic.co". @@ -9390,12 +9477,11 @@ url: field.' example: www.elastic.co flat_name: url.domain - ignore_above: 1024 level: extended name: domain normalize: [] short: Domain of the url. - type: keyword + type: wildcard url.extension: dashed_name: url-extension description: 'The field contains the file extension from the original request @@ -9429,13 +9515,14 @@ url: short: Portion of the url after the `#`. type: keyword url.full: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: url-full description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. example: https://www.elastic.co:443/search?q=elasticsearch#top flat_name: url.full - ignore_above: 1024 level: extended multi_fields: - flat_name: url.full.text @@ -9445,8 +9532,10 @@ url: name: full normalize: [] short: Full unparsed URL. - type: keyword + type: wildcard url.original: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: url-original description: 'Unmodified original url as seen in the event source. @@ -9456,7 +9545,6 @@ url: This field is meant to represent the URL as it was observed, complete or not.' example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch flat_name: url.original - ignore_above: 1024 level: extended multi_fields: - flat_name: url.original.text @@ -9466,7 +9554,7 @@ url: name: original normalize: [] short: Unmodified original url as seen in the event source. - type: keyword + type: wildcard url.password: dashed_name: url-password description: Password of the request. @@ -9478,15 +9566,16 @@ url: short: Password of the request. type: keyword url.path: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: url-path description: Path of the request, such as "/search". flat_name: url.path - ignore_above: 1024 level: extended name: path normalize: [] short: Path of the request, such as "/search". - type: keyword + type: wildcard url.port: dashed_name: url-port description: Port of the request, such as 443. @@ -9515,6 +9604,8 @@ url: short: Query string of the request. type: keyword url.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: url-registered-domain description: 'The highest registered url domain, stripped of the subdomain. @@ -9525,12 +9616,11 @@ url: the last two labels will not work well for TLDs such as "co.uk".' example: example.com flat_name: url.registered_domain - ignore_above: 1024 level: extended name: registered_domain normalize: [] short: The highest registered url domain, stripped of the subdomain. - type: keyword + type: wildcard url.scheme: dashed_name: url-scheme description: 'Scheme of the request, such as "https". @@ -9616,22 +9706,24 @@ user: short: Name of the directory the user is a member of. type: keyword user.changes.email: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-changes-email description: User email address. flat_name: user.changes.email - ignore_above: 1024 level: extended name: email normalize: [] original_fieldset: user short: User email address. - type: keyword + type: wildcard user.changes.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-changes-full-name description: User's full name, if available. example: Albert Einstein flat_name: user.changes.full_name - ignore_above: 1024 level: extended multi_fields: - flat_name: user.changes.full_name.text @@ -9642,7 +9734,7 @@ user: normalize: [] original_fieldset: user short: User's full name, if available. - type: keyword + type: wildcard user.changes.group.domain: dashed_name: user-changes-group-domain description: 'Name of the directory the group is a member of. @@ -9705,11 +9797,12 @@ user: short: Unique identifier of the user. type: keyword user.changes.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-changes-name description: Short name or login of the user. example: albert flat_name: user.changes.name - ignore_above: 1024 level: core multi_fields: - flat_name: user.changes.name.text @@ -9720,7 +9813,7 @@ user: normalize: [] original_fieldset: user short: Short name or login of the user. - type: keyword + type: wildcard user.changes.roles: dashed_name: user-changes-roles description: Array of user roles at the time of the event. @@ -9760,22 +9853,24 @@ user: short: Name of the directory the user is a member of. type: keyword user.effective.email: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-effective-email description: User email address. flat_name: user.effective.email - ignore_above: 1024 level: extended name: email normalize: [] original_fieldset: user short: User email address. - type: keyword + type: wildcard user.effective.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-effective-full-name description: User's full name, if available. example: Albert Einstein flat_name: user.effective.full_name - ignore_above: 1024 level: extended multi_fields: - flat_name: user.effective.full_name.text @@ -9786,7 +9881,7 @@ user: normalize: [] original_fieldset: user short: User's full name, if available. - type: keyword + type: wildcard user.effective.group.domain: dashed_name: user-effective-group-domain description: 'Name of the directory the group is a member of. @@ -9849,11 +9944,12 @@ user: short: Unique identifier of the user. type: keyword user.effective.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-effective-name description: Short name or login of the user. example: albert flat_name: user.effective.name - ignore_above: 1024 level: core multi_fields: - flat_name: user.effective.name.text @@ -9864,7 +9960,7 @@ user: normalize: [] original_fieldset: user short: Short name or login of the user. - type: keyword + type: wildcard user.effective.roles: dashed_name: user-effective-roles description: Array of user roles at the time of the event. @@ -9879,21 +9975,23 @@ user: short: Array of user roles at the time of the event. type: keyword user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-email description: User email address. flat_name: user.email - ignore_above: 1024 level: extended name: email normalize: [] short: User email address. - type: keyword + type: wildcard user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-full-name description: User's full name, if available. example: Albert Einstein flat_name: user.full_name - ignore_above: 1024 level: extended multi_fields: - flat_name: user.full_name.text @@ -9903,7 +10001,7 @@ user: name: full_name normalize: [] short: User's full name, if available. - type: keyword + type: wildcard user.group.domain: dashed_name: user-group-domain description: 'Name of the directory the group is a member of. @@ -9964,11 +10062,12 @@ user: short: Unique identifier of the user. type: keyword user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-name description: Short name or login of the user. example: albert flat_name: user.name - ignore_above: 1024 level: core multi_fields: - flat_name: user.name.text @@ -9978,7 +10077,7 @@ user: name: name normalize: [] short: Short name or login of the user. - type: keyword + type: wildcard user.roles: dashed_name: user-roles description: Array of user roles at the time of the event. @@ -10005,22 +10104,24 @@ user: short: Name of the directory the user is a member of. type: keyword user.target.email: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-target-email description: User email address. flat_name: user.target.email - ignore_above: 1024 level: extended name: email normalize: [] original_fieldset: user short: User email address. - type: keyword + type: wildcard user.target.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-target-full-name description: User's full name, if available. example: Albert Einstein flat_name: user.target.full_name - ignore_above: 1024 level: extended multi_fields: - flat_name: user.target.full_name.text @@ -10031,7 +10132,7 @@ user: normalize: [] original_fieldset: user short: User's full name, if available. - type: keyword + type: wildcard user.target.group.domain: dashed_name: user-target-group-domain description: 'Name of the directory the group is a member of. @@ -10094,11 +10195,12 @@ user: short: Unique identifier of the user. type: keyword user.target.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-target-name description: Short name or login of the user. example: albert flat_name: user.target.name - ignore_above: 1024 level: core multi_fields: - flat_name: user.target.name.text @@ -10109,7 +10211,7 @@ user: normalize: [] original_fieldset: user short: Short name or login of the user. - type: keyword + type: wildcard user.target.roles: dashed_name: user-target-roles description: Array of user roles at the time of the event. @@ -10208,12 +10310,13 @@ user_agent: short: Name of the user agent. type: keyword user_agent.original: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-agent-original description: Unparsed user_agent string. example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 flat_name: user_agent.original - ignore_above: 1024 level: extended multi_fields: - flat_name: user_agent.original.text @@ -10223,7 +10326,7 @@ user_agent: name: original normalize: [] short: Unparsed user_agent string. - type: keyword + type: wildcard user_agent.os.family: dashed_name: user-agent-os-family description: OS family (such as redhat, debian, freebsd, windows). @@ -10237,11 +10340,12 @@ user_agent: short: OS family (such as redhat, debian, freebsd, windows). type: keyword user_agent.os.full: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-agent-os-full description: Operating system name, including the version or code name. example: Mac OS Mojave flat_name: user_agent.os.full - ignore_above: 1024 level: extended multi_fields: - flat_name: user_agent.os.full.text @@ -10252,7 +10356,7 @@ user_agent: normalize: [] original_fieldset: os short: Operating system name, including the version or code name. - type: keyword + type: wildcard user_agent.os.kernel: dashed_name: user-agent-os-kernel description: Operating system kernel version as a raw string. @@ -10266,11 +10370,12 @@ user_agent: short: Operating system kernel version as a raw string. type: keyword user_agent.os.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-agent-os-name description: Operating system name, without the version. example: Mac OS X flat_name: user_agent.os.name - ignore_above: 1024 level: extended multi_fields: - flat_name: user_agent.os.name.text @@ -10281,7 +10386,7 @@ user_agent: normalize: [] original_fieldset: os short: Operating system name, without the version. - type: keyword + type: wildcard user_agent.os.platform: dashed_name: user-agent-os-platform description: Operating system platform (such centos, ubuntu, windows). @@ -10647,17 +10752,18 @@ x509: short: List of country (C) codes type: keyword x509.issuer.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA flat_name: x509.issuer.distinguished_name - ignore_above: 1024 level: extended name: issuer.distinguished_name normalize: [] short: Distinguished name (DN) of issuing certificate authority. - type: keyword + type: wildcard x509.issuer.locality: dashed_name: x509-issuer-locality description: List of locality names (L) @@ -10822,16 +10928,17 @@ x509: short: List of country (C) code type: keyword x509.subject.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net flat_name: x509.subject.distinguished_name - ignore_above: 1024 level: extended name: subject.distinguished_name normalize: [] short: Distinguished name (DN) of the certificate subject entity. - type: keyword + type: wildcard x509.subject.locality: dashed_name: x509-subject-locality description: List of locality names (L) diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index 2de32c5500..cab3c44f2f 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -27,8 +27,7 @@ "build": { "properties": { "original": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } }, @@ -74,8 +73,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } } @@ -85,8 +83,7 @@ "type": "long" }, "domain": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "geo": { "properties": { @@ -110,8 +107,7 @@ "type": "geo_point" }, "name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "region_iso_code": { "ignore_above": 1024, @@ -147,8 +143,7 @@ "type": "long" }, "registered_domain": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "subdomain": { "ignore_above": 1024, @@ -165,8 +160,7 @@ "type": "keyword" }, "email": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "full_name": { "fields": { @@ -175,8 +169,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "group": { "properties": { @@ -209,8 +202,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "roles": { "ignore_above": 1024, @@ -331,8 +323,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } } @@ -342,8 +333,7 @@ "type": "long" }, "domain": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "geo": { "properties": { @@ -367,8 +357,7 @@ "type": "geo_point" }, "name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "region_iso_code": { "ignore_above": 1024, @@ -404,8 +393,7 @@ "type": "long" }, "registered_domain": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "subdomain": { "ignore_above": 1024, @@ -422,8 +410,7 @@ "type": "keyword" }, "email": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "full_name": { "fields": { @@ -432,8 +419,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "group": { "properties": { @@ -466,8 +452,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "roles": { "ignore_above": 1024, @@ -551,8 +536,7 @@ "type": "keyword" }, "original_file_name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "product": { "ignore_above": 1024, @@ -571,8 +555,7 @@ "type": "keyword" }, "data": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "name": { "ignore_above": 1024, @@ -607,8 +590,7 @@ "type": "keyword" }, "name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "registered_domain": { "ignore_above": 1024, @@ -664,20 +646,16 @@ "type": "text" }, "stack_trace": { - "doc_values": false, "fields": { "text": { "norms": false, "type": "text" } }, - "ignore_above": 1024, - "index": false, - "type": "keyword" + "type": "wildcard" }, "type": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } }, @@ -819,8 +797,7 @@ "type": "keyword" }, "directory": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "drive_letter": { "ignore_above": 1, @@ -888,8 +865,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "pe": { "properties": { @@ -914,8 +890,7 @@ "type": "keyword" }, "original_file_name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "product": { "ignore_above": 1024, @@ -933,8 +908,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "type": { "ignore_above": 1024, @@ -961,8 +935,7 @@ "type": "keyword" }, "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "locality": { "ignore_above": 1024, @@ -1023,8 +996,7 @@ "type": "keyword" }, "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "locality": { "ignore_above": 1024, @@ -1100,8 +1072,7 @@ "type": "geo_point" }, "name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "region_iso_code": { "ignore_above": 1024, @@ -1114,8 +1085,7 @@ } }, "hostname": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "id": { "ignore_above": 1024, @@ -1145,8 +1115,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "kernel": { "ignore_above": 1024, @@ -1159,8 +1128,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "platform": { "ignore_above": 1024, @@ -1190,8 +1158,7 @@ "type": "keyword" }, "email": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "full_name": { "fields": { @@ -1200,8 +1167,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "group": { "properties": { @@ -1234,8 +1200,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "roles": { "ignore_above": 1024, @@ -1261,8 +1226,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } }, @@ -1278,8 +1242,7 @@ "type": "keyword" }, "referrer": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } }, @@ -1297,8 +1260,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } }, @@ -1328,8 +1290,7 @@ "file": { "properties": { "path": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } }, @@ -1338,8 +1299,7 @@ "type": "keyword" }, "logger": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "origin": { "properties": { @@ -1537,8 +1497,7 @@ "type": "geo_point" }, "name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "region_iso_code": { "ignore_above": 1024, @@ -1615,8 +1574,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "kernel": { "ignore_above": 1024, @@ -1629,8 +1587,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "platform": { "ignore_above": 1024, @@ -1681,8 +1638,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } }, @@ -1777,8 +1733,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "entity_id": { "ignore_above": 1024, @@ -1791,8 +1746,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "exit_code": { "type": "long" @@ -1824,8 +1778,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "parent": { "properties": { @@ -1864,8 +1817,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "entity_id": { "ignore_above": 1024, @@ -1878,8 +1830,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "exit_code": { "type": "long" @@ -1911,8 +1862,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "pe": { "properties": { @@ -1937,8 +1887,7 @@ "type": "keyword" }, "original_file_name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "product": { "ignore_above": 1024, @@ -1964,8 +1913,7 @@ "type": "long" }, "name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } }, @@ -1976,8 +1924,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "uptime": { "type": "long" @@ -1989,8 +1936,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } }, @@ -2017,8 +1963,7 @@ "type": "keyword" }, "original_file_name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "product": { "ignore_above": 1024, @@ -2044,8 +1989,7 @@ "type": "long" }, "name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } }, @@ -2056,8 +2000,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "uptime": { "type": "long" @@ -2069,8 +2012,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } }, @@ -2083,8 +2025,7 @@ "type": "keyword" }, "strings": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "type": { "ignore_above": 1024, @@ -2097,12 +2038,10 @@ "type": "keyword" }, "key": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "path": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "value": { "ignore_above": 1024, @@ -2193,8 +2132,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } } @@ -2204,8 +2142,7 @@ "type": "long" }, "domain": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "geo": { "properties": { @@ -2229,8 +2166,7 @@ "type": "geo_point" }, "name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "region_iso_code": { "ignore_above": 1024, @@ -2266,8 +2202,7 @@ "type": "long" }, "registered_domain": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "subdomain": { "ignore_above": 1024, @@ -2284,8 +2219,7 @@ "type": "keyword" }, "email": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "full_name": { "fields": { @@ -2294,8 +2228,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "group": { "properties": { @@ -2328,8 +2261,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "roles": { "ignore_above": 1024, @@ -2395,8 +2327,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } } @@ -2406,8 +2337,7 @@ "type": "long" }, "domain": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "geo": { "properties": { @@ -2431,8 +2361,7 @@ "type": "geo_point" }, "name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "region_iso_code": { "ignore_above": 1024, @@ -2468,8 +2397,7 @@ "type": "long" }, "registered_domain": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "subdomain": { "ignore_above": 1024, @@ -2486,8 +2414,7 @@ "type": "keyword" }, "email": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "full_name": { "fields": { @@ -2496,8 +2423,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "group": { "properties": { @@ -2530,8 +2456,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "roles": { "ignore_above": 1024, @@ -2654,8 +2579,7 @@ } }, "issuer": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "ja3": { "ignore_above": 1024, @@ -2672,8 +2596,7 @@ "type": "keyword" }, "subject": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "supported_ciphers": { "ignore_above": 1024, @@ -2696,8 +2619,7 @@ "type": "keyword" }, "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "locality": { "ignore_above": 1024, @@ -2758,8 +2680,7 @@ "type": "keyword" }, "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "locality": { "ignore_above": 1024, @@ -2828,8 +2749,7 @@ } }, "issuer": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "ja3s": { "ignore_above": 1024, @@ -2842,8 +2762,7 @@ "type": "date" }, "subject": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "x509": { "properties": { @@ -2862,8 +2781,7 @@ "type": "keyword" }, "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "locality": { "ignore_above": 1024, @@ -2924,8 +2842,7 @@ "type": "keyword" }, "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "locality": { "ignore_above": 1024, @@ -2982,8 +2899,7 @@ "url": { "properties": { "domain": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "extension": { "ignore_above": 1024, @@ -3000,8 +2916,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "original": { "fields": { @@ -3010,16 +2925,14 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "password": { "ignore_above": 1024, "type": "keyword" }, "path": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "port": { "type": "long" @@ -3029,8 +2942,7 @@ "type": "keyword" }, "registered_domain": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "scheme": { "ignore_above": 1024, @@ -3059,8 +2971,7 @@ "type": "keyword" }, "email": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "full_name": { "fields": { @@ -3069,8 +2980,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "group": { "properties": { @@ -3103,8 +3013,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "roles": { "ignore_above": 1024, @@ -3123,8 +3032,7 @@ "type": "keyword" }, "email": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "full_name": { "fields": { @@ -3133,8 +3041,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "group": { "properties": { @@ -3167,8 +3074,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "roles": { "ignore_above": 1024, @@ -3177,8 +3083,7 @@ } }, "email": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "full_name": { "fields": { @@ -3187,8 +3092,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "group": { "properties": { @@ -3221,8 +3125,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "roles": { "ignore_above": 1024, @@ -3235,8 +3138,7 @@ "type": "keyword" }, "email": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "full_name": { "fields": { @@ -3245,8 +3147,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "group": { "properties": { @@ -3279,8 +3180,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "roles": { "ignore_above": 1024, @@ -3311,8 +3211,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "os": { "properties": { @@ -3327,8 +3226,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "kernel": { "ignore_above": 1024, @@ -3341,8 +3239,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "platform": { "ignore_above": 1024, diff --git a/schemas/agent.yml b/schemas/agent.yml index a7758e90ce..ada014aecb 100644 --- a/schemas/agent.yml +++ b/schemas/agent.yml @@ -24,8 +24,9 @@ - name: build.original level: core - type: keyword + type: wildcard short: Extended build information for the agent. + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > Extended build information for the agent. diff --git a/schemas/as.yml b/schemas/as.yml index 952d7febeb..0094a46a9a 100644 --- a/schemas/as.yml +++ b/schemas/as.yml @@ -29,7 +29,8 @@ - name: organization.name level: extended - type: keyword + type: wildcard + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > Organization name. example: Google LLC diff --git a/schemas/client.yml b/schemas/client.yml index e63ab70276..b61329316e 100644 --- a/schemas/client.yml +++ b/schemas/client.yml @@ -53,14 +53,16 @@ - name: domain level: core - type: keyword + type: wildcard + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > Client domain. - name: registered_domain level: extended - type: keyword + type: wildcard short: The highest registered client domain, stripped of the subdomain. + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > The highest registered client domain, stripped of the subdomain. diff --git a/schemas/destination.yml b/schemas/destination.yml index a1e91958f7..ab6979e346 100644 --- a/schemas/destination.yml +++ b/schemas/destination.yml @@ -48,13 +48,15 @@ - name: domain level: core - type: keyword + type: wildcard + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > Destination domain. - name: registered_domain level: extended - type: keyword + type: wildcard + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. short: The highest registered destination domain, stripped of the subdomain. description: > The highest registered destination domain, stripped of the subdomain. diff --git a/schemas/dns.yml b/schemas/dns.yml index afe11a190a..220a723967 100644 --- a/schemas/dns.yml +++ b/schemas/dns.yml @@ -66,8 +66,9 @@ - name: question.name level: extended - type: keyword + type: wildcard short: The name being queried. + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > The name being queried. @@ -185,8 +186,9 @@ - name: answers.data level: extended - type: keyword + type: wildcard short: The data describing the resource. + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > The data describing the resource. diff --git a/schemas/error.yml b/schemas/error.yml index 7d96f09a4b..b1ae66f588 100644 --- a/schemas/error.yml +++ b/schemas/error.yml @@ -31,15 +31,16 @@ - name: type level: extended - type: keyword + type: wildcard + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. example: java.lang.NullPointerException description: > The type of the error, for example the class name of the exception. - name: stack_trace level: extended - type: keyword - index: false + type: wildcard + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > The stack trace of this error in plain text. multi_fields: diff --git a/schemas/event.yml b/schemas/event.yml index 45128fcf4a..0edbf6b8de 100644 --- a/schemas/event.yml +++ b/schemas/event.yml @@ -590,7 +590,9 @@ Raw text message of entire event. Used to demonstrate log integrity. This field is not indexed and doc_values are disabled. It cannot be - searched, but it can be retrieved from `_source`. + searched, but it can be retrieved from `_source`. If users wish to + override this and index this field, consider using the wildcard + data type. index: false doc_values: false diff --git a/schemas/file.yml b/schemas/file.yml index 545b4661fa..419116c8da 100644 --- a/schemas/file.yml +++ b/schemas/file.yml @@ -33,8 +33,9 @@ - name: directory level: extended - type: keyword + type: wildcard short: Directory where the file is located. + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > Directory where the file is located. It should include the drive letter, when appropriate. @@ -53,8 +54,9 @@ - name: path level: extended - type: keyword + type: wildcard short: Full path to the file, including the file name. + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > Full path to the file, including the file name. It should include the drive letter, when appropriate. @@ -65,7 +67,8 @@ - name: target_path level: extended - type: keyword + type: wildcard + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: Target path for symlinks. multi_fields: - type: text diff --git a/schemas/geo.yml b/schemas/geo.yml index 347d60829e..a6654d982f 100644 --- a/schemas/geo.yml +++ b/schemas/geo.yml @@ -71,8 +71,9 @@ - name: name level: extended - type: keyword + type: wildcard short: User-defined description of a location. + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > User-defined description of a location, at the level of granularity they care about. diff --git a/schemas/host.yml b/schemas/host.yml index 2fdbd9e4f7..f751d9b3ff 100644 --- a/schemas/host.yml +++ b/schemas/host.yml @@ -14,8 +14,9 @@ - name: hostname level: core - type: keyword + type: wildcard short: Hostname of the host. + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > Hostname of the host. diff --git a/schemas/http.yml b/schemas/http.yml index 9002408cab..f0ee23c53a 100644 --- a/schemas/http.yml +++ b/schemas/http.yml @@ -42,7 +42,8 @@ - name: request.body.content level: extended - type: keyword + type: wildcard + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > The full HTTP request body. example: Hello world @@ -52,7 +53,8 @@ - name: request.referrer level: extended - type: keyword + type: wildcard + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > Referrer for this HTTP request. example: https://blog.example.com/ @@ -81,7 +83,8 @@ - name: response.body.content level: extended - type: keyword + type: wildcard + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > The full HTTP response body. example: Hello world diff --git a/schemas/log.yml b/schemas/log.yml index fed4c063dd..991b9235a0 100644 --- a/schemas/log.yml +++ b/schemas/log.yml @@ -31,8 +31,9 @@ - name: file.path level: extended - type: keyword + type: wildcard short: Full path to the log file this event came from. + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. @@ -63,9 +64,10 @@ - name: logger level: core - type: keyword + type: wildcard example: org.elasticsearch.bootstrap.Bootstrap short: Name of the logger. + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. diff --git a/schemas/organization.yml b/schemas/organization.yml index dcd2358927..4eee9ce663 100644 --- a/schemas/organization.yml +++ b/schemas/organization.yml @@ -14,7 +14,8 @@ - name: name level: extended - type: keyword + type: wildcard + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > Organization name. multi_fields: diff --git a/schemas/os.yml b/schemas/os.yml index 8b8cfcdad7..9a93fd933b 100644 --- a/schemas/os.yml +++ b/schemas/os.yml @@ -36,8 +36,9 @@ - name: name level: extended - type: keyword + type: wildcard example: "Mac OS X" + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > Operating system name, without the version. multi_fields: @@ -46,8 +47,9 @@ - name: full level: extended - type: keyword + type: wildcard example: "Mac OS Mojave" + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > Operating system name, including the version or code name. multi_fields: diff --git a/schemas/pe.yml b/schemas/pe.yml index 126fb16136..8a7e2ddaf8 100644 --- a/schemas/pe.yml +++ b/schemas/pe.yml @@ -13,7 +13,8 @@ fields: - name: original_file_name level: extended - type: keyword + type: wildcard + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE diff --git a/schemas/process.yml b/schemas/process.yml index 13ec63c07f..8c9661cebd 100644 --- a/schemas/process.yml +++ b/schemas/process.yml @@ -44,8 +44,9 @@ - name: name level: extended - type: keyword + type: wildcard short: Process name. + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > Process name. @@ -72,8 +73,9 @@ - name: command_line level: extended - type: keyword + type: wildcard short: Full command line that started the process. + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > Full command line that started the process, including the absolute path to the executable, and all arguments. @@ -110,7 +112,8 @@ - name: executable level: extended - type: keyword + type: wildcard + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > Absolute path to the process executable. example: /usr/bin/ssh @@ -120,8 +123,9 @@ - name: title level: extended - type: keyword + type: wildcard short: Process title. + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > Process title. @@ -141,7 +145,8 @@ - name: thread.name level: extended - type: keyword + type: wildcard + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. example: 'thread-0' description: > Thread name. @@ -162,8 +167,9 @@ - name: working_directory level: extended - type: keyword + type: wildcard example: /home/alice + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > The working directory of the process. multi_fields: diff --git a/schemas/registry.yml b/schemas/registry.yml index bf8670d84e..576727087e 100644 --- a/schemas/registry.yml +++ b/schemas/registry.yml @@ -14,7 +14,8 @@ - name: key level: core - type: keyword + type: wildcard + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: Hive-relative path of keys. example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe @@ -26,7 +27,8 @@ - name: path level: core - type: keyword + type: wildcard + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: Full path, including hive, key and value example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger @@ -38,8 +40,9 @@ - name: data.strings level: core - type: keyword + type: wildcard short: List of strings representing what was written to the registry. + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. example: '["C:\rta\red_ttp\bin\myapp.exe"]' description: > Content when writing string types. diff --git a/schemas/server.yml b/schemas/server.yml index 867b3bd03c..b8d6924696 100644 --- a/schemas/server.yml +++ b/schemas/server.yml @@ -53,13 +53,15 @@ - name: domain level: core - type: keyword + type: wildcard + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > Server domain. - name: registered_domain level: extended - type: keyword + type: wildcard + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. short: The highest registered server domain, stripped of the subdomain. description: > The highest registered server domain, stripped of the subdomain. diff --git a/schemas/source.yml b/schemas/source.yml index 268b975312..581d5c062b 100644 --- a/schemas/source.yml +++ b/schemas/source.yml @@ -48,14 +48,16 @@ - name: domain level: core - type: keyword + type: wildcard + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > Source domain. - name: registered_domain level: extended - type: keyword + type: wildcard short: The highest registered source domain, stripped of the subdomain. + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > The highest registered source domain, stripped of the subdomain. diff --git a/schemas/tls.yml b/schemas/tls.yml index 3ecacb041a..781aafb66e 100644 --- a/schemas/tls.yml +++ b/schemas/tls.yml @@ -78,14 +78,16 @@ - array - name: client.subject - type: keyword + type: wildcard level: extended + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: Distinguished name of subject of the x.509 certificate presented by the client. example: "CN=myclient, OU=Documentation Team, DC=example, DC=com" - name: client.issuer - type: keyword + type: wildcard level: extended + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. example: "CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com" @@ -157,14 +159,16 @@ example: 394441ab65754e2207b1e1b457b3641d - name: server.subject - type: keyword + type: wildcard level: extended + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: Subject of the x.509 certificate presented by the server. example: "CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com" - name: server.issuer - type: keyword + type: wildcard level: extended + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: Subject of the issuer of the x.509 certificate presented by the server. example: "CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com" diff --git a/schemas/url.yml b/schemas/url.yml index 88a0278891..a264e59395 100644 --- a/schemas/url.yml +++ b/schemas/url.yml @@ -10,7 +10,8 @@ - name: original level: extended - type: keyword + type: wildcard + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. short: Unmodified original url as seen in the event source. description: > Unmodified original url as seen in the event source. @@ -28,8 +29,9 @@ - name: full level: extended - type: keyword + type: wildcard short: Full unparsed URL. + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the @@ -51,8 +53,9 @@ - name: domain level: extended - type: keyword + type: wildcard short: Domain of the url. + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > Domain of the url, such as "www.elastic.co". @@ -65,8 +68,9 @@ - name: registered_domain level: extended - type: keyword + type: wildcard short: The highest registered url domain, stripped of the subdomain. + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > The highest registered url domain, stripped of the subdomain. @@ -116,7 +120,8 @@ - name: path level: extended - type: keyword + type: wildcard + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > Path of the request, such as "/search". diff --git a/schemas/user.yml b/schemas/user.yml index 0fe7a32411..6e010627cf 100644 --- a/schemas/user.yml +++ b/schemas/user.yml @@ -48,8 +48,9 @@ - name: name level: core - type: keyword + type: wildcard example: albert + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > Short name or login of the user. multi_fields: @@ -58,7 +59,8 @@ - name: full_name level: extended - type: keyword + type: wildcard + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. example: Albert Einstein description: > User's full name, if available. @@ -68,7 +70,8 @@ - name: email level: extended - type: keyword + type: wildcard + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > User email address. diff --git a/schemas/user_agent.yml b/schemas/user_agent.yml index 9c18c20827..84388859cf 100644 --- a/schemas/user_agent.yml +++ b/schemas/user_agent.yml @@ -12,7 +12,8 @@ - name: original level: extended - type: keyword + type: wildcard + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. multi_fields: - type: text name: text diff --git a/schemas/x509.yml b/schemas/x509.yml index 124551c96c..a36e8a91a1 100644 --- a/schemas/x509.yml +++ b/schemas/x509.yml @@ -37,7 +37,8 @@ - name: issuer.distinguished_name level: extended - type: keyword + type: wildcard + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA @@ -113,7 +114,8 @@ - name: subject.distinguished_name level: extended - type: keyword + type: wildcard + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net diff --git a/use-cases/auditbeat.md b/use-cases/auditbeat.md index dff825a597..15e2935a61 100644 --- a/use-cases/auditbeat.md +++ b/use-cases/auditbeat.md @@ -9,8 +9,8 @@ ECS usage in Auditbeat. |---|---|---|---|---| | [event.module](../README.md#event.module) | Auditbeat module name. | core | keyword | `apache` | | *file.** | *File attributes.
* | | | | -| [file.path](../README.md#file.path) | The path to the file. | extended | keyword | `/home/alice/example.png` | -| [file.target_path](../README.md#file.target_path) | The target path for symlinks. | extended | keyword | | +| [file.path](../README.md#file.path) | The path to the file. | extended | wildcard | `/home/alice/example.png` | +| [file.target_path](../README.md#file.target_path) | The target path for symlinks. | extended | wildcard | | | [file.type](../README.md#file.type) | The file type (file, dir, or symlink). | extended | keyword | `file` | | [file.device](../README.md#file.device) | The device. | extended | keyword | `sda` | | [file.inode](../README.md#file.inode) | The inode representing the file in the filesystem. | extended | keyword | `256383` | diff --git a/use-cases/filebeat-apache-access.md b/use-cases/filebeat-apache-access.md index a9ef41840f..293c2fb190 100644 --- a/use-cases/filebeat-apache-access.md +++ b/use-cases/filebeat-apache-access.md @@ -13,7 +13,7 @@ ECS fields used in Filebeat for the apache module. | [event.module](../README.md#event.module) | Currently fileset.module | core | keyword | `apache` | | [event.dataset](../README.md#event.dataset) | Currenly fileset.name | core | keyword | `access` | | [source.ip](../README.md#source.ip) | Source ip of the request. Currently apache.access.remote_ip | core | ip | `192.168.1.1` | -| [user.name](../README.md#user.name) | User name in the request. Currently apache.access.user_name | core | keyword | `ruflin` | +| [user.name](../README.md#user.name) | User name in the request. Currently apache.access.user_name | core | wildcard | `ruflin` | | *http.method* | *Http method, currently apache.access.method* | (use case) | keyword | `GET` | | *http.url* | *Http url, currently apache.access.url* | (use case) | keyword | `http://elastic.co/` | | [http.version](../README.md#http.version) | Http version, currently apache.access.http_version | extended | keyword | `1.1` | @@ -21,7 +21,7 @@ ECS fields used in Filebeat for the apache module. | *http.response.body_sent.bytes* | *Http response body bytes sent, currently apache.access.body_sent.bytes* | (use case) | long | `117` | | *http.referer* | *Http referrer code, currently apache.access.referrer
NOTE: In the RFC its misspell as referer and has become accepted standard* | (use case) | keyword | `http://elastic.co/` | | *user_agent.** | *User agent fields as in schema. Currently under apache.access.user_agent.*
* | | | | -| [user_agent.original](../README.md#user_agent.original) | Original user agent. Currently apache.access.agent | extended | keyword | `http://elastic.co/` | +| [user_agent.original](../README.md#user_agent.original) | Original user agent. Currently apache.access.agent | extended | wildcard | `http://elastic.co/` | | *geoip.** | *User agent fields as in schema. Currently under apache.access.geoip.*
These are extracted from source.ip
Should they be under source.geoip?
* | | | | | *geoip....* | *All geoip fields.* | (use case) | keyword | | diff --git a/use-cases/kubernetes.md b/use-cases/kubernetes.md index 5588da6060..057ed289cb 100644 --- a/use-cases/kubernetes.md +++ b/use-cases/kubernetes.md @@ -10,7 +10,7 @@ You can monitor containers running in a Kubernetes cluster by adding Kubernetes- |---|---|---|---|---| | [container.id](../README.md#container.id) | Unique container id. | core | keyword | `fdbef803fa2b` | | [container.name](../README.md#container.name) | Container name. | extended | keyword | | -| [host.hostname](../README.md#host.hostname) | Hostname of the host.
It normally contains what the `hostname` command returns on the host machine. | core | keyword | `kube-high-cpu-42` | +| [host.hostname](../README.md#host.hostname) | Hostname of the host.
It normally contains what the `hostname` command returns on the host machine. | core | wildcard | `kube-high-cpu-42` | | *kubernetes.pod.name* | *Kubernetes pod name* | (use case) | keyword | `foo-webserver` | | *kubernetes.namespace* | *Kubernetes namespace* | (use case) | keyword | `foo-team` | | *kubernetes.labels* | *Kubernetes labels map* | (use case) | object | | diff --git a/use-cases/metricbeat.md b/use-cases/metricbeat.md index c573a7897e..79b3369efd 100644 --- a/use-cases/metricbeat.md +++ b/use-cases/metricbeat.md @@ -21,7 +21,7 @@ ECS fields used Metricbeat. | *error.** | *Error namespace
Use for errors which can happen during fetching information for a service.
* | | | | | [error.message](../README.md#error.message) | Error message returned by the service during fetching metrics. | core | text | | | [error.code](../README.md#error.code) | Error code returned by the service during fetching metrics. | core | keyword | | -| [host.hostname](../README.md#host.hostname) | Hostname of the system metricbeat is running on or user defined name. | core | keyword | | +| [host.hostname](../README.md#host.hostname) | Hostname of the system metricbeat is running on or user defined name. | core | wildcard | | | *host.timezone.offset.sec* | *Timezone offset of the host in seconds.* | (use case) | long | | | [host.id](../README.md#host.id) | Unique host id. | core | keyword | | | [event.module](../README.md#event.module) | Name of the module this data is coming from. | core | keyword | `mysql` | diff --git a/use-cases/web-logs.md b/use-cases/web-logs.md index 57f9a96062..d70944b48c 100644 --- a/use-cases/web-logs.md +++ b/use-cases/web-logs.md @@ -12,12 +12,12 @@ Using the fields as represented here is not expected to conflict with ECS, but m | [@timestamp](../README.md#@timestamp) | Time at which the response was sent, and the web server log created. | core | date | `2016-05-23T08:05:34.853Z` | | *http.** | *Fields related to HTTP requests and responses.
* | | | | | [http.request.method](../README.md#http.request.method) | Http request method. | extended | keyword | `GET, POST, PUT` | -| [http.request.referrer](../README.md#http.request.referrer) | Referrer for this HTTP request. | extended | keyword | `https://blog.example.com/` | +| [http.request.referrer](../README.md#http.request.referrer) | Referrer for this HTTP request. | extended | wildcard | `https://blog.example.com/` | | [http.response.status_code](../README.md#http.response.status_code) | Http response status code. | extended | long | `404` | -| [http.response.body.content](../README.md#http.response.body.content) | The full http response body. | extended | keyword | `Hello world` | +| [http.response.body.content](../README.md#http.response.body.content) | The full http response body. | extended | wildcard | `Hello world` | | [http.version](../README.md#http.version) | Http version. | extended | keyword | `1.1` | | *user_agent.** | *The user_agent fields normally come from a browser request. They often show up in web service logs coming from the parsed user agent string.
* | | | | -| [user_agent.original](../README.md#user_agent.original) | Unparsed version of the user_agent. | extended | keyword | `Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1` | +| [user_agent.original](../README.md#user_agent.original) | Unparsed version of the user_agent. | extended | wildcard | `Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1` | | *user_agent.device* | *Name of the physical device.* | (use case) | keyword | | | [user_agent.version](../README.md#user_agent.version) | Version of the physical device. | extended | keyword | `12.0` | | *user_agent.major* | *Major version of the user agent.* | (use case) | long | |