diff --git a/docs/reference/ecs-host.md b/docs/reference/ecs-host.md index 51705caaf..149973c38 100644 --- a/docs/reference/ecs-host.md +++ b/docs/reference/ecs-host.md @@ -36,6 +36,14 @@ ECS host.* fields should be populated with details about the host on which the e | $$$field-host-type$$$ [host.type](#field-host-type) | Type of host.

For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.

type: keyword

![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [host.type](https://opentelemetry.io/docs/specs/semconv/attributes-registry/host/#host-type) | core | | $$$field-host-uptime$$$ [host.uptime](#field-host-uptime) | Seconds the host has been up.

type: long

example: `1325`

![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![metric](https://img.shields.io/badge/metric-cb00cb?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [system.uptime](https://github.com/search?q=repo%3Aopen-telemetry%2Fsemantic-conventions+%22%3C%21--\+semconv+metric.system.uptime+--%3E%22&type=code) | extended | +## Field reuse [_field_reuse] + +The `host` fields are expected to be nested at: + +* `host.target` + +Note also that the `host` fields may be used directly at the root of the events. + ### Field sets that can be nested under Host [ecs-host-nestings] @@ -45,3 +53,4 @@ ECS host.* fields should be populated with details about the host on which the e | `host.geo.*` | [geo](/reference/ecs-geo.md) | Fields describing a location. | | `host.os.*` | [os](/reference/ecs-os.md) | OS fields contain information about the operating system. | | `host.risk.*` | [risk](/reference/ecs-risk.md) | Fields for describing risk score and level. | +| `host.target.*` | [host](/reference/ecs-host.md) | Targeted host of action taken. | diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 07ed3200f..82c78a2f6 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -4793,6 +4793,464 @@ of 0 to 100. example: 83.0 default_field: false + - name: target.architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + default_field: false + - name: target.boot.id + level: extended + type: keyword + ignore_above: 1024 + description: Linux boot uuid taken from /proc/sys/kernel/random/boot_id. Note + the boot_id value from /proc may or may not be the same in containers as on + the host. Some container runtimes will bind mount a new boot_id value onto + the proc file in each container. + example: 88a1f0ed-5ae5-41ee-af6b-41921c311872 + default_field: false + - name: target.cpu.usage + level: extended + type: scaled_float + description: 'Percent CPU used which is normalized by the number of CPU cores + and it ranges from 0 to 1. + + Scaling factor: 1000. + + For example: For a two core host, this value should be the average of the + two cores, between 0 and 1.' + scaling_factor: 1000 + default_field: false + - name: target.disk.read.bytes + level: extended + type: long + description: The total number of bytes (gauge) read successfully (aggregated + from all disks) since the last metric collection. + default_field: false + - name: target.disk.write.bytes + level: extended + type: long + description: The total number of bytes (gauge) written successfully (aggregated + from all disks) since the last metric collection. + default_field: false + - name: target.domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain + or NetBIOS domain name. For Linux this could be the domain of the host''s + LDAP provider.' + example: CONTOSO + default_field: false + - name: target.entity.attributes + level: extended + type: object + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + default_field: false + - name: target.entity.behavior + level: extended + type: object + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + default_field: false + - name: target.entity.display_name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: match_only_text + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + default_field: false + - name: target.entity.id + level: core + type: keyword + ignore_above: 1024 + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + default_field: false + - name: target.entity.last_seen_timestamp + level: extended + type: date + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + default_field: false + - name: target.entity.lifecycle + level: extended + type: object + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + default_field: false + - name: target.entity.metrics + level: extended + type: object + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + default_field: false + - name: target.entity.name + level: core + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: match_only_text + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + default_field: false + - name: target.entity.raw + level: extended + type: object + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + default_field: false + - name: target.entity.reference + level: extended + type: keyword + ignore_above: 1024 + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + default_field: false + - name: target.entity.source + level: core + type: keyword + ignore_above: 1024 + description: The module or integration that provided this entity data (similar + to event.module). + default_field: false + - name: target.entity.sub_type + level: extended + type: keyword + ignore_above: 1024 + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + default_field: false + - name: target.entity.type + level: core + type: keyword + ignore_above: 1024 + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' + example: host + default_field: false + - name: target.geo.city_name + level: core + type: keyword + ignore_above: 1024 + description: City name. + example: Montreal + default_field: false + - name: target.geo.continent_code + level: core + type: keyword + ignore_above: 1024 + description: Two-letter code representing continent's name. + example: NA + default_field: false + - name: target.geo.continent_name + level: core + type: keyword + ignore_above: 1024 + description: Name of the continent. + example: North America + default_field: false + - name: target.geo.country_iso_code + level: core + type: keyword + ignore_above: 1024 + description: Country ISO code. + example: CA + default_field: false + - name: target.geo.country_name + level: core + type: keyword + ignore_above: 1024 + description: Country name. + example: Canada + default_field: false + - name: target.geo.location + level: core + type: geo_point + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + default_field: false + - name: target.geo.name + level: extended + type: keyword + ignore_above: 1024 + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + default_field: false + - name: target.geo.postal_code + level: core + type: keyword + ignore_above: 1024 + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + default_field: false + - name: target.geo.region_iso_code + level: core + type: keyword + ignore_above: 1024 + description: Region ISO code. + example: CA-QC + default_field: false + - name: target.geo.region_name + level: core + type: keyword + ignore_above: 1024 + description: Region name. + example: Quebec + default_field: false + - name: target.geo.timezone + level: core + type: keyword + ignore_above: 1024 + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + default_field: false + - name: target.hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + default_field: false + - name: target.id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + default_field: false + - name: target.ip + level: core + type: ip + description: Host ip addresses. + default_field: false + - name: target.mac + level: core + type: keyword + ignore_above: 1024 + description: 'Host MAC addresses. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit + byte) is represented by two [uppercase] hexadecimal digits giving the value + of the octet as an unsigned integer. Successive octets are separated by a + hyphen.' + example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]' + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + default_field: false + - name: target.name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what hostname returns on Unix systems, the fully qualified + domain name (FQDN), or a name specified by the user. The recommended value + is the lowercase FQDN of the host.' + default_field: false + - name: target.network.egress.bytes + level: extended + type: long + description: The number of bytes (gauge) sent out on all network interfaces + by the host since the last metric collection. + default_field: false + - name: target.network.egress.packets + level: extended + type: long + description: The number of packets (gauge) sent out on all network interfaces + by the host since the last metric collection. + default_field: false + - name: target.network.ingress.bytes + level: extended + type: long + description: The number of bytes received (gauge) on all network interfaces + by the host since the last metric collection. + default_field: false + - name: target.network.ingress.packets + level: extended + type: long + description: The number of packets (gauge) received on all network interfaces + by the host since the last metric collection. + default_field: false + - name: target.os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + default_field: false + - name: target.os.full + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: match_only_text + description: Operating system name, including the version or code name. + example: Mac OS Mojave + default_field: false + - name: target.os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + default_field: false + - name: target.os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: match_only_text + description: Operating system name, without the version. + example: Mac OS X + default_field: false + - name: target.os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + default_field: false + - name: target.os.type + level: extended + type: keyword + ignore_above: 1024 + description: 'Use the `os.type` field to categorize the operating system into + one of the broad commercial families. + + If the OS you''re dealing with is not listed as an expected value, the field + should not be populated. Please let us know by opening an issue with ECS, + to propose its addition.' + example: macos + default_field: false + - name: target.os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + default_field: false + - name: target.pid_ns_ino + level: extended + type: keyword + ignore_above: 1024 + description: This is the inode number of the namespace in the namespace file + system (nsfs). Unsigned int inum in include/linux/ns_common.h. + example: 256383 + default_field: false + - name: target.risk.calculated_level + level: extended + type: keyword + ignore_above: 1024 + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + default_field: false + - name: target.risk.calculated_score + level: extended + type: float + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + default_field: false + - name: target.risk.calculated_score_norm + level: extended + type: float + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + default_field: false + - name: target.risk.static_level + level: extended + type: keyword + ignore_above: 1024 + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + default_field: false + - name: target.risk.static_score + level: extended + type: float + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + default_field: false + - name: target.risk.static_score_norm + level: extended + type: float + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + default_field: false + - name: target.type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, + this could be the container, for example, or other information meaningful + in your environment.' + default_field: false + - name: target.uptime + level: extended + type: long + description: Seconds the host has been up. + example: 1325 + default_field: false - name: type level: core type: keyword diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index 9758f073a..f9f6deafc 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -591,6 +591,65 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.3.0-dev+exp,true,host,host.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform." 9.3.0-dev+exp,true,host,host.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform." 9.3.0-dev+exp,true,host,host.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system. +9.3.0-dev+exp,true,host,host.target.architecture,keyword,core,,x86_64,Operating system architecture. +9.3.0-dev+exp,true,host,host.target.boot.id,keyword,extended,,88a1f0ed-5ae5-41ee-af6b-41921c311872,Linux boot uuid taken from /proc/sys/kernel/random/boot_id +9.3.0-dev+exp,true,host,host.target.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1." +9.3.0-dev+exp,true,host,host.target.disk.read.bytes,long,extended,,,The number of bytes read by all disks. +9.3.0-dev+exp,true,host,host.target.disk.write.bytes,long,extended,,,The number of bytes written on all disks. +9.3.0-dev+exp,true,host,host.target.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of. +9.3.0-dev+exp,true,host,host.target.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity. +9.3.0-dev+exp,true,host,host.target.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period." +9.3.0-dev+exp,true,host,host.target.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations. +9.3.0-dev+exp,true,host,host.target.entity.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations. +9.3.0-dev+exp,true,host,host.target.entity.id,keyword,core,,,Unique identifier for the entity. +9.3.0-dev+exp,true,host,host.target.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen.""" +9.3.0-dev+exp,true,host,host.target.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity. +9.3.0-dev+exp,true,host,host.target.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics. +9.3.0-dev+exp,true,host,host.target.entity.name,keyword,core,,,The name of the entity. +9.3.0-dev+exp,true,host,host.target.entity.name.text,match_only_text,core,,,The name of the entity. +9.3.0-dev+exp,true,host,host.target.entity.raw,object,extended,,,"Original, unmodified fields from the source system." +9.3.0-dev+exp,true,host,host.target.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." +9.3.0-dev+exp,true,host,host.target.entity.source,keyword,core,,,Source module or integration that provided the entity data. +9.3.0-dev+exp,true,host,host.target.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. +9.3.0-dev+exp,true,host,host.target.entity.type,keyword,core,array,host,Standardized high-level classification of the entity. +9.3.0-dev+exp,true,host,host.target.geo.city_name,keyword,core,,Montreal,City name. +9.3.0-dev+exp,true,host,host.target.geo.continent_code,keyword,core,,NA,Continent code. +9.3.0-dev+exp,true,host,host.target.geo.continent_name,keyword,core,,North America,Name of the continent. +9.3.0-dev+exp,true,host,host.target.geo.country_iso_code,keyword,core,,CA,Country ISO code. +9.3.0-dev+exp,true,host,host.target.geo.country_name,keyword,core,,Canada,Country name. +9.3.0-dev+exp,true,host,host.target.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +9.3.0-dev+exp,true,host,host.target.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +9.3.0-dev+exp,true,host,host.target.geo.postal_code,keyword,core,,94040,Postal code. +9.3.0-dev+exp,true,host,host.target.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +9.3.0-dev+exp,true,host,host.target.geo.region_name,keyword,core,,Quebec,Region name. +9.3.0-dev+exp,true,host,host.target.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +9.3.0-dev+exp,true,host,host.target.hostname,keyword,core,,,Hostname of the host. +9.3.0-dev+exp,true,host,host.target.id,keyword,core,,,Unique host id. +9.3.0-dev+exp,true,host,host.target.ip,ip,core,array,,Host ip addresses. +9.3.0-dev+exp,true,host,host.target.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses. +9.3.0-dev+exp,true,host,host.target.name,keyword,core,,,Name of the host. +9.3.0-dev+exp,true,host,host.target.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces. +9.3.0-dev+exp,true,host,host.target.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces. +9.3.0-dev+exp,true,host,host.target.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces. +9.3.0-dev+exp,true,host,host.target.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces. +9.3.0-dev+exp,true,host,host.target.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +9.3.0-dev+exp,true,host,host.target.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +9.3.0-dev+exp,true,host,host.target.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +9.3.0-dev+exp,true,host,host.target.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +9.3.0-dev+exp,true,host,host.target.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." +9.3.0-dev+exp,true,host,host.target.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version." +9.3.0-dev+exp,true,host,host.target.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +9.3.0-dev+exp,true,host,host.target.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)." +9.3.0-dev+exp,true,host,host.target.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +9.3.0-dev+exp,true,host,host.target.pid_ns_ino,keyword,extended,,256383,Pid namespace inode +9.3.0-dev+exp,true,host,host.target.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. +9.3.0-dev+exp,true,host,host.target.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. +9.3.0-dev+exp,true,host,host.target.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system. +9.3.0-dev+exp,true,host,host.target.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform." +9.3.0-dev+exp,true,host,host.target.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform." +9.3.0-dev+exp,true,host,host.target.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system. +9.3.0-dev+exp,true,host,host.target.type,keyword,core,,,Type of host. +9.3.0-dev+exp,true,host,host.target.uptime,long,extended,,1325,Seconds the host has been up. 9.3.0-dev+exp,true,host,host.type,keyword,core,,,Type of host. 9.3.0-dev+exp,true,host,host.uptime,long,extended,,1325,Seconds the host has been up. 9.3.0-dev+exp,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body. diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index f450e8cd6..d83ef8a63 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -8542,6 +8542,827 @@ host.risk.static_score_norm: original_fieldset: risk short: A normalized risk score calculated by an external system. type: float +host.target.architecture: + dashed_name: host-target-architecture + description: Operating system architecture. + example: x86_64 + flat_name: host.target.architecture + ignore_above: 1024 + level: core + name: architecture + normalize: [] + original_fieldset: host + short: Operating system architecture. + type: keyword +host.target.boot.id: + dashed_name: host-target-boot-id + description: Linux boot uuid taken from /proc/sys/kernel/random/boot_id. Note the + boot_id value from /proc may or may not be the same in containers as on the host. + Some container runtimes will bind mount a new boot_id value onto the proc file + in each container. + example: 88a1f0ed-5ae5-41ee-af6b-41921c311872 + flat_name: host.target.boot.id + ignore_above: 1024 + level: extended + name: boot.id + normalize: [] + original_fieldset: host + short: Linux boot uuid taken from /proc/sys/kernel/random/boot_id + type: keyword +host.target.cpu.usage: + dashed_name: host-target-cpu-usage + description: 'Percent CPU used which is normalized by the number of CPU cores and + it ranges from 0 to 1. + + Scaling factor: 1000. + + For example: For a two core host, this value should be the average of the two + cores, between 0 and 1.' + flat_name: host.target.cpu.usage + level: extended + name: cpu.usage + normalize: [] + original_fieldset: host + scaling_factor: 1000 + short: Percent CPU used, between 0 and 1. + type: scaled_float +host.target.disk.read.bytes: + dashed_name: host-target-disk-read-bytes + description: The total number of bytes (gauge) read successfully (aggregated from + all disks) since the last metric collection. + flat_name: host.target.disk.read.bytes + level: extended + name: disk.read.bytes + normalize: [] + original_fieldset: host + short: The number of bytes read by all disks. + type: long +host.target.disk.write.bytes: + dashed_name: host-target-disk-write-bytes + description: The total number of bytes (gauge) written successfully (aggregated + from all disks) since the last metric collection. + flat_name: host.target.disk.write.bytes + level: extended + name: disk.write.bytes + normalize: [] + original_fieldset: host + short: The number of bytes written on all disks. + type: long +host.target.domain: + dashed_name: host-target-domain + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS + domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + flat_name: host.target.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: host + short: Name of the directory the group is a member of. + type: keyword +host.target.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: host.target.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +host.target.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: host.target.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +host.target.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: host.target.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: host.target.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +host.target.entity.id: + dashed_name: host-target-entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: host.target.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword +host.target.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: host.target.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +host.target.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: host.target.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +host.target.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: host.target.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +host.target.entity.name: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: host.target.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: host.target.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword +host.target.entity.raw: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: host.target.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +host.target.entity.reference: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: host.target.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +host.target.entity.source: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: host.target.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +host.target.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: host.target.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +host.target.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: host-target-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is + nested under a top-level namespace like `host` or `cloud`, or similar, its type + array should include the matching value — for example, `host` or `cloud`.' + example: host + flat_name: host.target.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword +host.target.geo.city_name: + dashed_name: host-target-geo-city-name + description: City name. + example: Montreal + flat_name: host.target.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword +host.target.geo.continent_code: + dashed_name: host-target-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: host.target.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword +host.target.geo.continent_name: + dashed_name: host-target-geo-continent-name + description: Name of the continent. + example: North America + flat_name: host.target.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword +host.target.geo.country_iso_code: + dashed_name: host-target-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: host.target.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword +host.target.geo.country_name: + dashed_name: host-target-geo-country-name + description: Country name. + example: Canada + flat_name: host.target.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword +host.target.geo.location: + dashed_name: host-target-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: host.target.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point +host.target.geo.name: + dashed_name: host-target-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes a + local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: host.target.geo.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: keyword +host.target.geo.postal_code: + dashed_name: host-target-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: host.target.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword +host.target.geo.region_iso_code: + dashed_name: host-target-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: host.target.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword +host.target.geo.region_name: + dashed_name: host-target-geo-region-name + description: Region name. + example: Quebec + flat_name: host.target.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword +host.target.geo.timezone: + dashed_name: host-target-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: host.target.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword +host.target.hostname: + dashed_name: host-target-hostname + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + flat_name: host.target.hostname + ignore_above: 1024 + level: core + name: hostname + normalize: [] + original_fieldset: host + short: Hostname of the host. + type: keyword +host.target.id: + dashed_name: host-target-id + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + flat_name: host.target.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: host + short: Unique host id. + type: keyword +host.target.ip: + dashed_name: host-target-ip + description: Host ip addresses. + flat_name: host.target.ip + level: core + name: ip + normalize: + - array + original_fieldset: host + short: Host ip addresses. + synthetic_source_keep: none + type: ip +host.target.mac: + dashed_name: host-target-mac + description: 'Host MAC addresses. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) + is represented by two [uppercase] hexadecimal digits giving the value of the octet + as an unsigned integer. Successive octets are separated by a hyphen.' + example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]' + flat_name: host.target.mac + ignore_above: 1024 + level: core + name: mac + normalize: + - array + original_fieldset: host + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + short: Host MAC addresses. + synthetic_source_keep: none + type: keyword +host.target.name: + dashed_name: host-target-name + description: 'Name of the host. + + It can contain what hostname returns on Unix systems, the fully qualified domain + name (FQDN), or a name specified by the user. The recommended value is the lowercase + FQDN of the host.' + flat_name: host.target.name + ignore_above: 1024 + level: core + name: name + normalize: [] + original_fieldset: host + short: Name of the host. + type: keyword +host.target.network.egress.bytes: + dashed_name: host-target-network-egress-bytes + description: The number of bytes (gauge) sent out on all network interfaces by the + host since the last metric collection. + flat_name: host.target.network.egress.bytes + level: extended + name: network.egress.bytes + normalize: [] + original_fieldset: host + short: The number of bytes sent on all network interfaces. + type: long +host.target.network.egress.packets: + dashed_name: host-target-network-egress-packets + description: The number of packets (gauge) sent out on all network interfaces by + the host since the last metric collection. + flat_name: host.target.network.egress.packets + level: extended + name: network.egress.packets + normalize: [] + original_fieldset: host + short: The number of packets sent on all network interfaces. + type: long +host.target.network.ingress.bytes: + dashed_name: host-target-network-ingress-bytes + description: The number of bytes received (gauge) on all network interfaces by the + host since the last metric collection. + flat_name: host.target.network.ingress.bytes + level: extended + name: network.ingress.bytes + normalize: [] + original_fieldset: host + short: The number of bytes received on all network interfaces. + type: long +host.target.network.ingress.packets: + dashed_name: host-target-network-ingress-packets + description: The number of packets (gauge) received on all network interfaces by + the host since the last metric collection. + flat_name: host.target.network.ingress.packets + level: extended + name: network.ingress.packets + normalize: [] + original_fieldset: host + short: The number of packets received on all network interfaces. + type: long +host.target.os.family: + dashed_name: host-target-os-family + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + flat_name: host.target.os.family + ignore_above: 1024 + level: extended + name: family + normalize: [] + original_fieldset: os + short: OS family (such as redhat, debian, freebsd, windows). + type: keyword +host.target.os.full: + dashed_name: host-target-os-full + description: Operating system name, including the version or code name. + example: Mac OS Mojave + flat_name: host.target.os.full + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: host.target.os.full.text + name: text + type: match_only_text + name: full + normalize: [] + original_fieldset: os + short: Operating system name, including the version or code name. + type: keyword +host.target.os.kernel: + dashed_name: host-target-os-kernel + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + flat_name: host.target.os.kernel + ignore_above: 1024 + level: extended + name: kernel + normalize: [] + original_fieldset: os + short: Operating system kernel version as a raw string. + type: keyword +host.target.os.name: + dashed_name: host-target-os-name + description: Operating system name, without the version. + example: Mac OS X + flat_name: host.target.os.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: host.target.os.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: os + short: Operating system name, without the version. + type: keyword +host.target.os.platform: + dashed_name: host-target-os-platform + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + flat_name: host.target.os.platform + ignore_above: 1024 + level: extended + name: platform + normalize: [] + original_fieldset: os + short: Operating system platform (such centos, ubuntu, windows). + type: keyword +host.target.os.type: + dashed_name: host-target-os-type + description: 'Use the `os.type` field to categorize the operating system into one + of the broad commercial families. + + If the OS you''re dealing with is not listed as an expected value, the field should + not be populated. Please let us know by opening an issue with ECS, to propose + its addition.' + example: macos + expected_values: + - linux + - macos + - unix + - windows + - ios + - android + flat_name: host.target.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios or + android).' + type: keyword +host.target.os.version: + dashed_name: host-target-os-version + description: Operating system version as a raw string. + example: 10.14.1 + flat_name: host.target.os.version + ignore_above: 1024 + level: extended + name: version + normalize: [] + original_fieldset: os + short: Operating system version as a raw string. + type: keyword +host.target.pid_ns_ino: + dashed_name: host-target-pid-ns-ino + description: This is the inode number of the namespace in the namespace file system + (nsfs). Unsigned int inum in include/linux/ns_common.h. + example: 256383 + flat_name: host.target.pid_ns_ino + ignore_above: 1024 + level: extended + name: pid_ns_ino + normalize: [] + original_fieldset: host + short: Pid namespace inode + type: keyword +host.target.risk.calculated_level: + dashed_name: host-target-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: host.target.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. + type: keyword +host.target.risk.calculated_score: + dashed_name: host-target-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: host.target.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +host.target.risk.calculated_score_norm: + dashed_name: host-target-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: host.target.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +host.target.risk.static_level: + dashed_name: host-target-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: host.target.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: keyword +host.target.risk.static_score: + dashed_name: host-target-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: host.target.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +host.target.risk.static_score_norm: + dashed_name: host-target-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: host.target.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float +host.target.type: + dashed_name: host-target-type + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this + could be the container, for example, or other information meaningful in your environment.' + flat_name: host.target.type + ignore_above: 1024 + level: core + name: type + normalize: [] + original_fieldset: host + short: Type of host. + type: keyword +host.target.uptime: + dashed_name: host-target-uptime + description: Seconds the host has been up. + example: 1325 + flat_name: host.target.uptime + level: extended + name: uptime + normalize: [] + original_fieldset: host + short: Seconds the host has been up. + type: long host.type: dashed_name: host-type description: 'Type of host. diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 86f3a0451..91211ab60 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -10117,6 +10117,836 @@ host: original_fieldset: risk short: A normalized risk score calculated by an external system. type: float + host.target.architecture: + dashed_name: host-target-architecture + description: Operating system architecture. + example: x86_64 + flat_name: host.target.architecture + ignore_above: 1024 + level: core + name: architecture + normalize: [] + original_fieldset: host + short: Operating system architecture. + type: keyword + host.target.boot.id: + dashed_name: host-target-boot-id + description: Linux boot uuid taken from /proc/sys/kernel/random/boot_id. Note + the boot_id value from /proc may or may not be the same in containers as on + the host. Some container runtimes will bind mount a new boot_id value onto + the proc file in each container. + example: 88a1f0ed-5ae5-41ee-af6b-41921c311872 + flat_name: host.target.boot.id + ignore_above: 1024 + level: extended + name: boot.id + normalize: [] + original_fieldset: host + short: Linux boot uuid taken from /proc/sys/kernel/random/boot_id + type: keyword + host.target.cpu.usage: + dashed_name: host-target-cpu-usage + description: 'Percent CPU used which is normalized by the number of CPU cores + and it ranges from 0 to 1. + + Scaling factor: 1000. + + For example: For a two core host, this value should be the average of the + two cores, between 0 and 1.' + flat_name: host.target.cpu.usage + level: extended + name: cpu.usage + normalize: [] + original_fieldset: host + scaling_factor: 1000 + short: Percent CPU used, between 0 and 1. + type: scaled_float + host.target.disk.read.bytes: + dashed_name: host-target-disk-read-bytes + description: The total number of bytes (gauge) read successfully (aggregated + from all disks) since the last metric collection. + flat_name: host.target.disk.read.bytes + level: extended + name: disk.read.bytes + normalize: [] + original_fieldset: host + short: The number of bytes read by all disks. + type: long + host.target.disk.write.bytes: + dashed_name: host-target-disk-write-bytes + description: The total number of bytes (gauge) written successfully (aggregated + from all disks) since the last metric collection. + flat_name: host.target.disk.write.bytes + level: extended + name: disk.write.bytes + normalize: [] + original_fieldset: host + short: The number of bytes written on all disks. + type: long + host.target.domain: + dashed_name: host-target-domain + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain + or NetBIOS domain name. For Linux this could be the domain of the host''s + LDAP provider.' + example: CONTOSO + flat_name: host.target.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: host + short: Name of the directory the group is a member of. + type: keyword + host.target.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: host.target.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + host.target.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: host.target.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + host.target.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: host.target.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: host.target.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. + type: keyword + host.target.entity.id: + dashed_name: host-target-entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: host.target.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword + host.target.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: host.target.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date + host.target.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: host.target.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + host.target.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: host.target.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + host.target.entity.name: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: host.target.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: host.target.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword + host.target.entity.raw: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: host.target.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + host.target.entity.reference: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: host.target.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword + host.target.entity.source: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: host.target.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword + host.target.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: host.target.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + host.target.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: host-target-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' + example: host + flat_name: host.target.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword + host.target.geo.city_name: + dashed_name: host-target-geo-city-name + description: City name. + example: Montreal + flat_name: host.target.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword + host.target.geo.continent_code: + dashed_name: host-target-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: host.target.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword + host.target.geo.continent_name: + dashed_name: host-target-geo-continent-name + description: Name of the continent. + example: North America + flat_name: host.target.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword + host.target.geo.country_iso_code: + dashed_name: host-target-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: host.target.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword + host.target.geo.country_name: + dashed_name: host-target-geo-country-name + description: Country name. + example: Canada + flat_name: host.target.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword + host.target.geo.location: + dashed_name: host-target-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: host.target.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point + host.target.geo.name: + dashed_name: host-target-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: host.target.geo.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: keyword + host.target.geo.postal_code: + dashed_name: host-target-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: host.target.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword + host.target.geo.region_iso_code: + dashed_name: host-target-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: host.target.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword + host.target.geo.region_name: + dashed_name: host-target-geo-region-name + description: Region name. + example: Quebec + flat_name: host.target.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword + host.target.geo.timezone: + dashed_name: host-target-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: host.target.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword + host.target.hostname: + dashed_name: host-target-hostname + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + flat_name: host.target.hostname + ignore_above: 1024 + level: core + name: hostname + normalize: [] + original_fieldset: host + short: Hostname of the host. + type: keyword + host.target.id: + dashed_name: host-target-id + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + flat_name: host.target.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: host + short: Unique host id. + type: keyword + host.target.ip: + dashed_name: host-target-ip + description: Host ip addresses. + flat_name: host.target.ip + level: core + name: ip + normalize: + - array + original_fieldset: host + short: Host ip addresses. + synthetic_source_keep: none + type: ip + host.target.mac: + dashed_name: host-target-mac + description: 'Host MAC addresses. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit + byte) is represented by two [uppercase] hexadecimal digits giving the value + of the octet as an unsigned integer. Successive octets are separated by a + hyphen.' + example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]' + flat_name: host.target.mac + ignore_above: 1024 + level: core + name: mac + normalize: + - array + original_fieldset: host + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + short: Host MAC addresses. + synthetic_source_keep: none + type: keyword + host.target.name: + dashed_name: host-target-name + description: 'Name of the host. + + It can contain what hostname returns on Unix systems, the fully qualified + domain name (FQDN), or a name specified by the user. The recommended value + is the lowercase FQDN of the host.' + flat_name: host.target.name + ignore_above: 1024 + level: core + name: name + normalize: [] + original_fieldset: host + short: Name of the host. + type: keyword + host.target.network.egress.bytes: + dashed_name: host-target-network-egress-bytes + description: The number of bytes (gauge) sent out on all network interfaces + by the host since the last metric collection. + flat_name: host.target.network.egress.bytes + level: extended + name: network.egress.bytes + normalize: [] + original_fieldset: host + short: The number of bytes sent on all network interfaces. + type: long + host.target.network.egress.packets: + dashed_name: host-target-network-egress-packets + description: The number of packets (gauge) sent out on all network interfaces + by the host since the last metric collection. + flat_name: host.target.network.egress.packets + level: extended + name: network.egress.packets + normalize: [] + original_fieldset: host + short: The number of packets sent on all network interfaces. + type: long + host.target.network.ingress.bytes: + dashed_name: host-target-network-ingress-bytes + description: The number of bytes received (gauge) on all network interfaces + by the host since the last metric collection. + flat_name: host.target.network.ingress.bytes + level: extended + name: network.ingress.bytes + normalize: [] + original_fieldset: host + short: The number of bytes received on all network interfaces. + type: long + host.target.network.ingress.packets: + dashed_name: host-target-network-ingress-packets + description: The number of packets (gauge) received on all network interfaces + by the host since the last metric collection. + flat_name: host.target.network.ingress.packets + level: extended + name: network.ingress.packets + normalize: [] + original_fieldset: host + short: The number of packets received on all network interfaces. + type: long + host.target.os.family: + dashed_name: host-target-os-family + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + flat_name: host.target.os.family + ignore_above: 1024 + level: extended + name: family + normalize: [] + original_fieldset: os + short: OS family (such as redhat, debian, freebsd, windows). + type: keyword + host.target.os.full: + dashed_name: host-target-os-full + description: Operating system name, including the version or code name. + example: Mac OS Mojave + flat_name: host.target.os.full + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: host.target.os.full.text + name: text + type: match_only_text + name: full + normalize: [] + original_fieldset: os + short: Operating system name, including the version or code name. + type: keyword + host.target.os.kernel: + dashed_name: host-target-os-kernel + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + flat_name: host.target.os.kernel + ignore_above: 1024 + level: extended + name: kernel + normalize: [] + original_fieldset: os + short: Operating system kernel version as a raw string. + type: keyword + host.target.os.name: + dashed_name: host-target-os-name + description: Operating system name, without the version. + example: Mac OS X + flat_name: host.target.os.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: host.target.os.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: os + short: Operating system name, without the version. + type: keyword + host.target.os.platform: + dashed_name: host-target-os-platform + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + flat_name: host.target.os.platform + ignore_above: 1024 + level: extended + name: platform + normalize: [] + original_fieldset: os + short: Operating system platform (such centos, ubuntu, windows). + type: keyword + host.target.os.type: + dashed_name: host-target-os-type + description: 'Use the `os.type` field to categorize the operating system into + one of the broad commercial families. + + If the OS you''re dealing with is not listed as an expected value, the field + should not be populated. Please let us know by opening an issue with ECS, + to propose its addition.' + example: macos + expected_values: + - linux + - macos + - unix + - windows + - ios + - android + flat_name: host.target.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios + or android).' + type: keyword + host.target.os.version: + dashed_name: host-target-os-version + description: Operating system version as a raw string. + example: 10.14.1 + flat_name: host.target.os.version + ignore_above: 1024 + level: extended + name: version + normalize: [] + original_fieldset: os + short: Operating system version as a raw string. + type: keyword + host.target.pid_ns_ino: + dashed_name: host-target-pid-ns-ino + description: This is the inode number of the namespace in the namespace file + system (nsfs). Unsigned int inum in include/linux/ns_common.h. + example: 256383 + flat_name: host.target.pid_ns_ino + ignore_above: 1024 + level: extended + name: pid_ns_ino + normalize: [] + original_fieldset: host + short: Pid namespace inode + type: keyword + host.target.risk.calculated_level: + dashed_name: host-target-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: host.target.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + host.target.risk.calculated_score: + dashed_name: host-target-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: host.target.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + host.target.risk.calculated_score_norm: + dashed_name: host-target-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: host.target.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + host.target.risk.static_level: + dashed_name: host-target-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: host.target.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: keyword + host.target.risk.static_score: + dashed_name: host-target-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: host.target.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + host.target.risk.static_score_norm: + dashed_name: host-target-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: host.target.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float + host.target.type: + dashed_name: host-target-type + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, + this could be the container, for example, or other information meaningful + in your environment.' + flat_name: host.target.type + ignore_above: 1024 + level: core + name: type + normalize: [] + original_fieldset: host + short: Type of host. + type: keyword + host.target.uptime: + dashed_name: host-target-uptime + description: Seconds the host has been up. + example: 1325 + flat_name: host.target.uptime + level: extended + name: uptime + normalize: [] + original_fieldset: host + short: Seconds the host has been up. + type: long host.type: dashed_name: host-type description: 'Type of host. @@ -10155,7 +10985,15 @@ host: - host.geo - host.os - host.risk + - host.target prefix: host. + reusable: + expected: + - as: target + at: host + full: host.target + short_override: Targeted host of action taken. + top_level: true reused_here: - full: host.entity schema_name: entity @@ -10169,6 +11007,9 @@ host: - full: host.risk schema_name: risk short: Fields for describing risk score and level. + - full: host.target + schema_name: host + short: Targeted host of action taken. short: Fields describing the relevant computing instance. title: Host type: group diff --git a/experimental/generated/elasticsearch/composable/component/host.json b/experimental/generated/elasticsearch/composable/component/host.json index c8ac1bab6..48a96da9e 100644 --- a/experimental/generated/elasticsearch/composable/component/host.json +++ b/experimental/generated/elasticsearch/composable/component/host.json @@ -271,6 +271,280 @@ } } }, + "target": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "boot": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cpu": { + "properties": { + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "entity": { + "properties": { + "attributes": { + "type": "object" + }, + "behavior": { + "type": "object" + }, + "display_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_seen_timestamp": { + "type": "date" + }, + "lifecycle": { + "type": "object" + }, + "metrics": { + "type": "object" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "raw": { + "type": "object" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "source": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "synthetic_source_keep": "none", + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + } + } + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pid_ns_ino": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + } + } + }, "type": { "ignore_above": 1024, "type": "keyword" diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json index 4c8a9f732..33e2078d0 100644 --- a/experimental/generated/elasticsearch/legacy/template.json +++ b/experimental/generated/elasticsearch/legacy/template.json @@ -2709,6 +2709,280 @@ } } }, + "target": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "boot": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cpu": { + "properties": { + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "entity": { + "properties": { + "attributes": { + "type": "object" + }, + "behavior": { + "type": "object" + }, + "display_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_seen_timestamp": { + "type": "date" + }, + "lifecycle": { + "type": "object" + }, + "metrics": { + "type": "object" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "raw": { + "type": "object" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "source": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "synthetic_source_keep": "none", + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + } + } + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pid_ns_ino": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + } + } + }, "type": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 3366cfd8e..0269f6aca 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -4743,6 +4743,464 @@ of 0 to 100. example: 83.0 default_field: false + - name: target.architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + default_field: false + - name: target.boot.id + level: extended + type: keyword + ignore_above: 1024 + description: Linux boot uuid taken from /proc/sys/kernel/random/boot_id. Note + the boot_id value from /proc may or may not be the same in containers as on + the host. Some container runtimes will bind mount a new boot_id value onto + the proc file in each container. + example: 88a1f0ed-5ae5-41ee-af6b-41921c311872 + default_field: false + - name: target.cpu.usage + level: extended + type: scaled_float + description: 'Percent CPU used which is normalized by the number of CPU cores + and it ranges from 0 to 1. + + Scaling factor: 1000. + + For example: For a two core host, this value should be the average of the + two cores, between 0 and 1.' + scaling_factor: 1000 + default_field: false + - name: target.disk.read.bytes + level: extended + type: long + description: The total number of bytes (gauge) read successfully (aggregated + from all disks) since the last metric collection. + default_field: false + - name: target.disk.write.bytes + level: extended + type: long + description: The total number of bytes (gauge) written successfully (aggregated + from all disks) since the last metric collection. + default_field: false + - name: target.domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain + or NetBIOS domain name. For Linux this could be the domain of the host''s + LDAP provider.' + example: CONTOSO + default_field: false + - name: target.entity.attributes + level: extended + type: object + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + default_field: false + - name: target.entity.behavior + level: extended + type: object + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + default_field: false + - name: target.entity.display_name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: match_only_text + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + default_field: false + - name: target.entity.id + level: core + type: keyword + ignore_above: 1024 + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + default_field: false + - name: target.entity.last_seen_timestamp + level: extended + type: date + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + default_field: false + - name: target.entity.lifecycle + level: extended + type: object + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + default_field: false + - name: target.entity.metrics + level: extended + type: object + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + default_field: false + - name: target.entity.name + level: core + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: match_only_text + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + default_field: false + - name: target.entity.raw + level: extended + type: object + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + default_field: false + - name: target.entity.reference + level: extended + type: keyword + ignore_above: 1024 + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + default_field: false + - name: target.entity.source + level: core + type: keyword + ignore_above: 1024 + description: The module or integration that provided this entity data (similar + to event.module). + default_field: false + - name: target.entity.sub_type + level: extended + type: keyword + ignore_above: 1024 + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + default_field: false + - name: target.entity.type + level: core + type: keyword + ignore_above: 1024 + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' + example: host + default_field: false + - name: target.geo.city_name + level: core + type: keyword + ignore_above: 1024 + description: City name. + example: Montreal + default_field: false + - name: target.geo.continent_code + level: core + type: keyword + ignore_above: 1024 + description: Two-letter code representing continent's name. + example: NA + default_field: false + - name: target.geo.continent_name + level: core + type: keyword + ignore_above: 1024 + description: Name of the continent. + example: North America + default_field: false + - name: target.geo.country_iso_code + level: core + type: keyword + ignore_above: 1024 + description: Country ISO code. + example: CA + default_field: false + - name: target.geo.country_name + level: core + type: keyword + ignore_above: 1024 + description: Country name. + example: Canada + default_field: false + - name: target.geo.location + level: core + type: geo_point + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + default_field: false + - name: target.geo.name + level: extended + type: keyword + ignore_above: 1024 + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + default_field: false + - name: target.geo.postal_code + level: core + type: keyword + ignore_above: 1024 + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + default_field: false + - name: target.geo.region_iso_code + level: core + type: keyword + ignore_above: 1024 + description: Region ISO code. + example: CA-QC + default_field: false + - name: target.geo.region_name + level: core + type: keyword + ignore_above: 1024 + description: Region name. + example: Quebec + default_field: false + - name: target.geo.timezone + level: core + type: keyword + ignore_above: 1024 + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + default_field: false + - name: target.hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + default_field: false + - name: target.id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + default_field: false + - name: target.ip + level: core + type: ip + description: Host ip addresses. + default_field: false + - name: target.mac + level: core + type: keyword + ignore_above: 1024 + description: 'Host MAC addresses. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit + byte) is represented by two [uppercase] hexadecimal digits giving the value + of the octet as an unsigned integer. Successive octets are separated by a + hyphen.' + example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]' + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + default_field: false + - name: target.name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what hostname returns on Unix systems, the fully qualified + domain name (FQDN), or a name specified by the user. The recommended value + is the lowercase FQDN of the host.' + default_field: false + - name: target.network.egress.bytes + level: extended + type: long + description: The number of bytes (gauge) sent out on all network interfaces + by the host since the last metric collection. + default_field: false + - name: target.network.egress.packets + level: extended + type: long + description: The number of packets (gauge) sent out on all network interfaces + by the host since the last metric collection. + default_field: false + - name: target.network.ingress.bytes + level: extended + type: long + description: The number of bytes received (gauge) on all network interfaces + by the host since the last metric collection. + default_field: false + - name: target.network.ingress.packets + level: extended + type: long + description: The number of packets (gauge) received on all network interfaces + by the host since the last metric collection. + default_field: false + - name: target.os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + default_field: false + - name: target.os.full + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: match_only_text + description: Operating system name, including the version or code name. + example: Mac OS Mojave + default_field: false + - name: target.os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + default_field: false + - name: target.os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: match_only_text + description: Operating system name, without the version. + example: Mac OS X + default_field: false + - name: target.os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + default_field: false + - name: target.os.type + level: extended + type: keyword + ignore_above: 1024 + description: 'Use the `os.type` field to categorize the operating system into + one of the broad commercial families. + + If the OS you''re dealing with is not listed as an expected value, the field + should not be populated. Please let us know by opening an issue with ECS, + to propose its addition.' + example: macos + default_field: false + - name: target.os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + default_field: false + - name: target.pid_ns_ino + level: extended + type: keyword + ignore_above: 1024 + description: This is the inode number of the namespace in the namespace file + system (nsfs). Unsigned int inum in include/linux/ns_common.h. + example: 256383 + default_field: false + - name: target.risk.calculated_level + level: extended + type: keyword + ignore_above: 1024 + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + default_field: false + - name: target.risk.calculated_score + level: extended + type: float + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + default_field: false + - name: target.risk.calculated_score_norm + level: extended + type: float + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + default_field: false + - name: target.risk.static_level + level: extended + type: keyword + ignore_above: 1024 + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + default_field: false + - name: target.risk.static_score + level: extended + type: float + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + default_field: false + - name: target.risk.static_score_norm + level: extended + type: float + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + default_field: false + - name: target.type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, + this could be the container, for example, or other information meaningful + in your environment.' + default_field: false + - name: target.uptime + level: extended + type: long + description: Seconds the host has been up. + example: 1325 + default_field: false - name: type level: core type: keyword diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index f460c9390..fa31da0a3 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -584,6 +584,65 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.3.0-dev,true,host,host.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform." 9.3.0-dev,true,host,host.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform." 9.3.0-dev,true,host,host.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system. +9.3.0-dev,true,host,host.target.architecture,keyword,core,,x86_64,Operating system architecture. +9.3.0-dev,true,host,host.target.boot.id,keyword,extended,,88a1f0ed-5ae5-41ee-af6b-41921c311872,Linux boot uuid taken from /proc/sys/kernel/random/boot_id +9.3.0-dev,true,host,host.target.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1." +9.3.0-dev,true,host,host.target.disk.read.bytes,long,extended,,,The number of bytes read by all disks. +9.3.0-dev,true,host,host.target.disk.write.bytes,long,extended,,,The number of bytes written on all disks. +9.3.0-dev,true,host,host.target.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of. +9.3.0-dev,true,host,host.target.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity. +9.3.0-dev,true,host,host.target.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period." +9.3.0-dev,true,host,host.target.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations. +9.3.0-dev,true,host,host.target.entity.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations. +9.3.0-dev,true,host,host.target.entity.id,keyword,core,,,Unique identifier for the entity. +9.3.0-dev,true,host,host.target.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen.""" +9.3.0-dev,true,host,host.target.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity. +9.3.0-dev,true,host,host.target.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics. +9.3.0-dev,true,host,host.target.entity.name,keyword,core,,,The name of the entity. +9.3.0-dev,true,host,host.target.entity.name.text,match_only_text,core,,,The name of the entity. +9.3.0-dev,true,host,host.target.entity.raw,object,extended,,,"Original, unmodified fields from the source system." +9.3.0-dev,true,host,host.target.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." +9.3.0-dev,true,host,host.target.entity.source,keyword,core,,,Source module or integration that provided the entity data. +9.3.0-dev,true,host,host.target.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. +9.3.0-dev,true,host,host.target.entity.type,keyword,core,array,host,Standardized high-level classification of the entity. +9.3.0-dev,true,host,host.target.geo.city_name,keyword,core,,Montreal,City name. +9.3.0-dev,true,host,host.target.geo.continent_code,keyword,core,,NA,Continent code. +9.3.0-dev,true,host,host.target.geo.continent_name,keyword,core,,North America,Name of the continent. +9.3.0-dev,true,host,host.target.geo.country_iso_code,keyword,core,,CA,Country ISO code. +9.3.0-dev,true,host,host.target.geo.country_name,keyword,core,,Canada,Country name. +9.3.0-dev,true,host,host.target.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +9.3.0-dev,true,host,host.target.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +9.3.0-dev,true,host,host.target.geo.postal_code,keyword,core,,94040,Postal code. +9.3.0-dev,true,host,host.target.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +9.3.0-dev,true,host,host.target.geo.region_name,keyword,core,,Quebec,Region name. +9.3.0-dev,true,host,host.target.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +9.3.0-dev,true,host,host.target.hostname,keyword,core,,,Hostname of the host. +9.3.0-dev,true,host,host.target.id,keyword,core,,,Unique host id. +9.3.0-dev,true,host,host.target.ip,ip,core,array,,Host ip addresses. +9.3.0-dev,true,host,host.target.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses. +9.3.0-dev,true,host,host.target.name,keyword,core,,,Name of the host. +9.3.0-dev,true,host,host.target.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces. +9.3.0-dev,true,host,host.target.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces. +9.3.0-dev,true,host,host.target.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces. +9.3.0-dev,true,host,host.target.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces. +9.3.0-dev,true,host,host.target.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +9.3.0-dev,true,host,host.target.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +9.3.0-dev,true,host,host.target.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +9.3.0-dev,true,host,host.target.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +9.3.0-dev,true,host,host.target.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." +9.3.0-dev,true,host,host.target.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version." +9.3.0-dev,true,host,host.target.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +9.3.0-dev,true,host,host.target.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)." +9.3.0-dev,true,host,host.target.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +9.3.0-dev,true,host,host.target.pid_ns_ino,keyword,extended,,256383,Pid namespace inode +9.3.0-dev,true,host,host.target.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. +9.3.0-dev,true,host,host.target.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. +9.3.0-dev,true,host,host.target.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system. +9.3.0-dev,true,host,host.target.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform." +9.3.0-dev,true,host,host.target.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform." +9.3.0-dev,true,host,host.target.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system. +9.3.0-dev,true,host,host.target.type,keyword,core,,,Type of host. +9.3.0-dev,true,host,host.target.uptime,long,extended,,1325,Seconds the host has been up. 9.3.0-dev,true,host,host.type,keyword,core,,,Type of host. 9.3.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up. 9.3.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 40f65f7fd..c0a12a94e 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -8473,6 +8473,827 @@ host.risk.static_score_norm: original_fieldset: risk short: A normalized risk score calculated by an external system. type: float +host.target.architecture: + dashed_name: host-target-architecture + description: Operating system architecture. + example: x86_64 + flat_name: host.target.architecture + ignore_above: 1024 + level: core + name: architecture + normalize: [] + original_fieldset: host + short: Operating system architecture. + type: keyword +host.target.boot.id: + dashed_name: host-target-boot-id + description: Linux boot uuid taken from /proc/sys/kernel/random/boot_id. Note the + boot_id value from /proc may or may not be the same in containers as on the host. + Some container runtimes will bind mount a new boot_id value onto the proc file + in each container. + example: 88a1f0ed-5ae5-41ee-af6b-41921c311872 + flat_name: host.target.boot.id + ignore_above: 1024 + level: extended + name: boot.id + normalize: [] + original_fieldset: host + short: Linux boot uuid taken from /proc/sys/kernel/random/boot_id + type: keyword +host.target.cpu.usage: + dashed_name: host-target-cpu-usage + description: 'Percent CPU used which is normalized by the number of CPU cores and + it ranges from 0 to 1. + + Scaling factor: 1000. + + For example: For a two core host, this value should be the average of the two + cores, between 0 and 1.' + flat_name: host.target.cpu.usage + level: extended + name: cpu.usage + normalize: [] + original_fieldset: host + scaling_factor: 1000 + short: Percent CPU used, between 0 and 1. + type: scaled_float +host.target.disk.read.bytes: + dashed_name: host-target-disk-read-bytes + description: The total number of bytes (gauge) read successfully (aggregated from + all disks) since the last metric collection. + flat_name: host.target.disk.read.bytes + level: extended + name: disk.read.bytes + normalize: [] + original_fieldset: host + short: The number of bytes read by all disks. + type: long +host.target.disk.write.bytes: + dashed_name: host-target-disk-write-bytes + description: The total number of bytes (gauge) written successfully (aggregated + from all disks) since the last metric collection. + flat_name: host.target.disk.write.bytes + level: extended + name: disk.write.bytes + normalize: [] + original_fieldset: host + short: The number of bytes written on all disks. + type: long +host.target.domain: + dashed_name: host-target-domain + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS + domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + flat_name: host.target.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: host + short: Name of the directory the group is a member of. + type: keyword +host.target.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: host.target.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +host.target.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: host.target.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +host.target.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: host.target.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: host.target.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +host.target.entity.id: + dashed_name: host-target-entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: host.target.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword +host.target.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: host.target.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +host.target.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: host.target.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +host.target.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: host.target.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +host.target.entity.name: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: host.target.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: host.target.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword +host.target.entity.raw: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: host.target.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +host.target.entity.reference: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: host.target.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +host.target.entity.source: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: host.target.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +host.target.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: host.target.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +host.target.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: host-target-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is + nested under a top-level namespace like `host` or `cloud`, or similar, its type + array should include the matching value — for example, `host` or `cloud`.' + example: host + flat_name: host.target.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword +host.target.geo.city_name: + dashed_name: host-target-geo-city-name + description: City name. + example: Montreal + flat_name: host.target.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword +host.target.geo.continent_code: + dashed_name: host-target-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: host.target.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword +host.target.geo.continent_name: + dashed_name: host-target-geo-continent-name + description: Name of the continent. + example: North America + flat_name: host.target.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword +host.target.geo.country_iso_code: + dashed_name: host-target-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: host.target.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword +host.target.geo.country_name: + dashed_name: host-target-geo-country-name + description: Country name. + example: Canada + flat_name: host.target.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword +host.target.geo.location: + dashed_name: host-target-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: host.target.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point +host.target.geo.name: + dashed_name: host-target-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes a + local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: host.target.geo.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: keyword +host.target.geo.postal_code: + dashed_name: host-target-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: host.target.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword +host.target.geo.region_iso_code: + dashed_name: host-target-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: host.target.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword +host.target.geo.region_name: + dashed_name: host-target-geo-region-name + description: Region name. + example: Quebec + flat_name: host.target.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword +host.target.geo.timezone: + dashed_name: host-target-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: host.target.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword +host.target.hostname: + dashed_name: host-target-hostname + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + flat_name: host.target.hostname + ignore_above: 1024 + level: core + name: hostname + normalize: [] + original_fieldset: host + short: Hostname of the host. + type: keyword +host.target.id: + dashed_name: host-target-id + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + flat_name: host.target.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: host + short: Unique host id. + type: keyword +host.target.ip: + dashed_name: host-target-ip + description: Host ip addresses. + flat_name: host.target.ip + level: core + name: ip + normalize: + - array + original_fieldset: host + short: Host ip addresses. + synthetic_source_keep: none + type: ip +host.target.mac: + dashed_name: host-target-mac + description: 'Host MAC addresses. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) + is represented by two [uppercase] hexadecimal digits giving the value of the octet + as an unsigned integer. Successive octets are separated by a hyphen.' + example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]' + flat_name: host.target.mac + ignore_above: 1024 + level: core + name: mac + normalize: + - array + original_fieldset: host + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + short: Host MAC addresses. + synthetic_source_keep: none + type: keyword +host.target.name: + dashed_name: host-target-name + description: 'Name of the host. + + It can contain what hostname returns on Unix systems, the fully qualified domain + name (FQDN), or a name specified by the user. The recommended value is the lowercase + FQDN of the host.' + flat_name: host.target.name + ignore_above: 1024 + level: core + name: name + normalize: [] + original_fieldset: host + short: Name of the host. + type: keyword +host.target.network.egress.bytes: + dashed_name: host-target-network-egress-bytes + description: The number of bytes (gauge) sent out on all network interfaces by the + host since the last metric collection. + flat_name: host.target.network.egress.bytes + level: extended + name: network.egress.bytes + normalize: [] + original_fieldset: host + short: The number of bytes sent on all network interfaces. + type: long +host.target.network.egress.packets: + dashed_name: host-target-network-egress-packets + description: The number of packets (gauge) sent out on all network interfaces by + the host since the last metric collection. + flat_name: host.target.network.egress.packets + level: extended + name: network.egress.packets + normalize: [] + original_fieldset: host + short: The number of packets sent on all network interfaces. + type: long +host.target.network.ingress.bytes: + dashed_name: host-target-network-ingress-bytes + description: The number of bytes received (gauge) on all network interfaces by the + host since the last metric collection. + flat_name: host.target.network.ingress.bytes + level: extended + name: network.ingress.bytes + normalize: [] + original_fieldset: host + short: The number of bytes received on all network interfaces. + type: long +host.target.network.ingress.packets: + dashed_name: host-target-network-ingress-packets + description: The number of packets (gauge) received on all network interfaces by + the host since the last metric collection. + flat_name: host.target.network.ingress.packets + level: extended + name: network.ingress.packets + normalize: [] + original_fieldset: host + short: The number of packets received on all network interfaces. + type: long +host.target.os.family: + dashed_name: host-target-os-family + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + flat_name: host.target.os.family + ignore_above: 1024 + level: extended + name: family + normalize: [] + original_fieldset: os + short: OS family (such as redhat, debian, freebsd, windows). + type: keyword +host.target.os.full: + dashed_name: host-target-os-full + description: Operating system name, including the version or code name. + example: Mac OS Mojave + flat_name: host.target.os.full + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: host.target.os.full.text + name: text + type: match_only_text + name: full + normalize: [] + original_fieldset: os + short: Operating system name, including the version or code name. + type: keyword +host.target.os.kernel: + dashed_name: host-target-os-kernel + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + flat_name: host.target.os.kernel + ignore_above: 1024 + level: extended + name: kernel + normalize: [] + original_fieldset: os + short: Operating system kernel version as a raw string. + type: keyword +host.target.os.name: + dashed_name: host-target-os-name + description: Operating system name, without the version. + example: Mac OS X + flat_name: host.target.os.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: host.target.os.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: os + short: Operating system name, without the version. + type: keyword +host.target.os.platform: + dashed_name: host-target-os-platform + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + flat_name: host.target.os.platform + ignore_above: 1024 + level: extended + name: platform + normalize: [] + original_fieldset: os + short: Operating system platform (such centos, ubuntu, windows). + type: keyword +host.target.os.type: + dashed_name: host-target-os-type + description: 'Use the `os.type` field to categorize the operating system into one + of the broad commercial families. + + If the OS you''re dealing with is not listed as an expected value, the field should + not be populated. Please let us know by opening an issue with ECS, to propose + its addition.' + example: macos + expected_values: + - linux + - macos + - unix + - windows + - ios + - android + flat_name: host.target.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios or + android).' + type: keyword +host.target.os.version: + dashed_name: host-target-os-version + description: Operating system version as a raw string. + example: 10.14.1 + flat_name: host.target.os.version + ignore_above: 1024 + level: extended + name: version + normalize: [] + original_fieldset: os + short: Operating system version as a raw string. + type: keyword +host.target.pid_ns_ino: + dashed_name: host-target-pid-ns-ino + description: This is the inode number of the namespace in the namespace file system + (nsfs). Unsigned int inum in include/linux/ns_common.h. + example: 256383 + flat_name: host.target.pid_ns_ino + ignore_above: 1024 + level: extended + name: pid_ns_ino + normalize: [] + original_fieldset: host + short: Pid namespace inode + type: keyword +host.target.risk.calculated_level: + dashed_name: host-target-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: host.target.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. + type: keyword +host.target.risk.calculated_score: + dashed_name: host-target-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: host.target.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +host.target.risk.calculated_score_norm: + dashed_name: host-target-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: host.target.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +host.target.risk.static_level: + dashed_name: host-target-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: host.target.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: keyword +host.target.risk.static_score: + dashed_name: host-target-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: host.target.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +host.target.risk.static_score_norm: + dashed_name: host-target-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: host.target.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float +host.target.type: + dashed_name: host-target-type + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this + could be the container, for example, or other information meaningful in your environment.' + flat_name: host.target.type + ignore_above: 1024 + level: core + name: type + normalize: [] + original_fieldset: host + short: Type of host. + type: keyword +host.target.uptime: + dashed_name: host-target-uptime + description: Seconds the host has been up. + example: 1325 + flat_name: host.target.uptime + level: extended + name: uptime + normalize: [] + original_fieldset: host + short: Seconds the host has been up. + type: long host.type: dashed_name: host-type description: 'Type of host. diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 48d310bdd..8fceddbc8 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -10037,6 +10037,836 @@ host: original_fieldset: risk short: A normalized risk score calculated by an external system. type: float + host.target.architecture: + dashed_name: host-target-architecture + description: Operating system architecture. + example: x86_64 + flat_name: host.target.architecture + ignore_above: 1024 + level: core + name: architecture + normalize: [] + original_fieldset: host + short: Operating system architecture. + type: keyword + host.target.boot.id: + dashed_name: host-target-boot-id + description: Linux boot uuid taken from /proc/sys/kernel/random/boot_id. Note + the boot_id value from /proc may or may not be the same in containers as on + the host. Some container runtimes will bind mount a new boot_id value onto + the proc file in each container. + example: 88a1f0ed-5ae5-41ee-af6b-41921c311872 + flat_name: host.target.boot.id + ignore_above: 1024 + level: extended + name: boot.id + normalize: [] + original_fieldset: host + short: Linux boot uuid taken from /proc/sys/kernel/random/boot_id + type: keyword + host.target.cpu.usage: + dashed_name: host-target-cpu-usage + description: 'Percent CPU used which is normalized by the number of CPU cores + and it ranges from 0 to 1. + + Scaling factor: 1000. + + For example: For a two core host, this value should be the average of the + two cores, between 0 and 1.' + flat_name: host.target.cpu.usage + level: extended + name: cpu.usage + normalize: [] + original_fieldset: host + scaling_factor: 1000 + short: Percent CPU used, between 0 and 1. + type: scaled_float + host.target.disk.read.bytes: + dashed_name: host-target-disk-read-bytes + description: The total number of bytes (gauge) read successfully (aggregated + from all disks) since the last metric collection. + flat_name: host.target.disk.read.bytes + level: extended + name: disk.read.bytes + normalize: [] + original_fieldset: host + short: The number of bytes read by all disks. + type: long + host.target.disk.write.bytes: + dashed_name: host-target-disk-write-bytes + description: The total number of bytes (gauge) written successfully (aggregated + from all disks) since the last metric collection. + flat_name: host.target.disk.write.bytes + level: extended + name: disk.write.bytes + normalize: [] + original_fieldset: host + short: The number of bytes written on all disks. + type: long + host.target.domain: + dashed_name: host-target-domain + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain + or NetBIOS domain name. For Linux this could be the domain of the host''s + LDAP provider.' + example: CONTOSO + flat_name: host.target.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: host + short: Name of the directory the group is a member of. + type: keyword + host.target.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: host.target.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + host.target.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: host.target.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + host.target.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: host.target.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: host.target.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. + type: keyword + host.target.entity.id: + dashed_name: host-target-entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: host.target.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword + host.target.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: host.target.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date + host.target.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: host.target.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + host.target.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: host.target.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + host.target.entity.name: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: host.target.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: host.target.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword + host.target.entity.raw: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: host.target.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + host.target.entity.reference: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: host.target.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword + host.target.entity.source: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: host.target.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword + host.target.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: host.target.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + host.target.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: host-target-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' + example: host + flat_name: host.target.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword + host.target.geo.city_name: + dashed_name: host-target-geo-city-name + description: City name. + example: Montreal + flat_name: host.target.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword + host.target.geo.continent_code: + dashed_name: host-target-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: host.target.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword + host.target.geo.continent_name: + dashed_name: host-target-geo-continent-name + description: Name of the continent. + example: North America + flat_name: host.target.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword + host.target.geo.country_iso_code: + dashed_name: host-target-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: host.target.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword + host.target.geo.country_name: + dashed_name: host-target-geo-country-name + description: Country name. + example: Canada + flat_name: host.target.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword + host.target.geo.location: + dashed_name: host-target-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: host.target.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point + host.target.geo.name: + dashed_name: host-target-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: host.target.geo.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: keyword + host.target.geo.postal_code: + dashed_name: host-target-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: host.target.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword + host.target.geo.region_iso_code: + dashed_name: host-target-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: host.target.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword + host.target.geo.region_name: + dashed_name: host-target-geo-region-name + description: Region name. + example: Quebec + flat_name: host.target.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword + host.target.geo.timezone: + dashed_name: host-target-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: host.target.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword + host.target.hostname: + dashed_name: host-target-hostname + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + flat_name: host.target.hostname + ignore_above: 1024 + level: core + name: hostname + normalize: [] + original_fieldset: host + short: Hostname of the host. + type: keyword + host.target.id: + dashed_name: host-target-id + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + flat_name: host.target.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: host + short: Unique host id. + type: keyword + host.target.ip: + dashed_name: host-target-ip + description: Host ip addresses. + flat_name: host.target.ip + level: core + name: ip + normalize: + - array + original_fieldset: host + short: Host ip addresses. + synthetic_source_keep: none + type: ip + host.target.mac: + dashed_name: host-target-mac + description: 'Host MAC addresses. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit + byte) is represented by two [uppercase] hexadecimal digits giving the value + of the octet as an unsigned integer. Successive octets are separated by a + hyphen.' + example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]' + flat_name: host.target.mac + ignore_above: 1024 + level: core + name: mac + normalize: + - array + original_fieldset: host + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + short: Host MAC addresses. + synthetic_source_keep: none + type: keyword + host.target.name: + dashed_name: host-target-name + description: 'Name of the host. + + It can contain what hostname returns on Unix systems, the fully qualified + domain name (FQDN), or a name specified by the user. The recommended value + is the lowercase FQDN of the host.' + flat_name: host.target.name + ignore_above: 1024 + level: core + name: name + normalize: [] + original_fieldset: host + short: Name of the host. + type: keyword + host.target.network.egress.bytes: + dashed_name: host-target-network-egress-bytes + description: The number of bytes (gauge) sent out on all network interfaces + by the host since the last metric collection. + flat_name: host.target.network.egress.bytes + level: extended + name: network.egress.bytes + normalize: [] + original_fieldset: host + short: The number of bytes sent on all network interfaces. + type: long + host.target.network.egress.packets: + dashed_name: host-target-network-egress-packets + description: The number of packets (gauge) sent out on all network interfaces + by the host since the last metric collection. + flat_name: host.target.network.egress.packets + level: extended + name: network.egress.packets + normalize: [] + original_fieldset: host + short: The number of packets sent on all network interfaces. + type: long + host.target.network.ingress.bytes: + dashed_name: host-target-network-ingress-bytes + description: The number of bytes received (gauge) on all network interfaces + by the host since the last metric collection. + flat_name: host.target.network.ingress.bytes + level: extended + name: network.ingress.bytes + normalize: [] + original_fieldset: host + short: The number of bytes received on all network interfaces. + type: long + host.target.network.ingress.packets: + dashed_name: host-target-network-ingress-packets + description: The number of packets (gauge) received on all network interfaces + by the host since the last metric collection. + flat_name: host.target.network.ingress.packets + level: extended + name: network.ingress.packets + normalize: [] + original_fieldset: host + short: The number of packets received on all network interfaces. + type: long + host.target.os.family: + dashed_name: host-target-os-family + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + flat_name: host.target.os.family + ignore_above: 1024 + level: extended + name: family + normalize: [] + original_fieldset: os + short: OS family (such as redhat, debian, freebsd, windows). + type: keyword + host.target.os.full: + dashed_name: host-target-os-full + description: Operating system name, including the version or code name. + example: Mac OS Mojave + flat_name: host.target.os.full + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: host.target.os.full.text + name: text + type: match_only_text + name: full + normalize: [] + original_fieldset: os + short: Operating system name, including the version or code name. + type: keyword + host.target.os.kernel: + dashed_name: host-target-os-kernel + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + flat_name: host.target.os.kernel + ignore_above: 1024 + level: extended + name: kernel + normalize: [] + original_fieldset: os + short: Operating system kernel version as a raw string. + type: keyword + host.target.os.name: + dashed_name: host-target-os-name + description: Operating system name, without the version. + example: Mac OS X + flat_name: host.target.os.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: host.target.os.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: os + short: Operating system name, without the version. + type: keyword + host.target.os.platform: + dashed_name: host-target-os-platform + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + flat_name: host.target.os.platform + ignore_above: 1024 + level: extended + name: platform + normalize: [] + original_fieldset: os + short: Operating system platform (such centos, ubuntu, windows). + type: keyword + host.target.os.type: + dashed_name: host-target-os-type + description: 'Use the `os.type` field to categorize the operating system into + one of the broad commercial families. + + If the OS you''re dealing with is not listed as an expected value, the field + should not be populated. Please let us know by opening an issue with ECS, + to propose its addition.' + example: macos + expected_values: + - linux + - macos + - unix + - windows + - ios + - android + flat_name: host.target.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios + or android).' + type: keyword + host.target.os.version: + dashed_name: host-target-os-version + description: Operating system version as a raw string. + example: 10.14.1 + flat_name: host.target.os.version + ignore_above: 1024 + level: extended + name: version + normalize: [] + original_fieldset: os + short: Operating system version as a raw string. + type: keyword + host.target.pid_ns_ino: + dashed_name: host-target-pid-ns-ino + description: This is the inode number of the namespace in the namespace file + system (nsfs). Unsigned int inum in include/linux/ns_common.h. + example: 256383 + flat_name: host.target.pid_ns_ino + ignore_above: 1024 + level: extended + name: pid_ns_ino + normalize: [] + original_fieldset: host + short: Pid namespace inode + type: keyword + host.target.risk.calculated_level: + dashed_name: host-target-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: host.target.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + host.target.risk.calculated_score: + dashed_name: host-target-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: host.target.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + host.target.risk.calculated_score_norm: + dashed_name: host-target-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: host.target.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + host.target.risk.static_level: + dashed_name: host-target-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: host.target.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: keyword + host.target.risk.static_score: + dashed_name: host-target-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: host.target.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + host.target.risk.static_score_norm: + dashed_name: host-target-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: host.target.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float + host.target.type: + dashed_name: host-target-type + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, + this could be the container, for example, or other information meaningful + in your environment.' + flat_name: host.target.type + ignore_above: 1024 + level: core + name: type + normalize: [] + original_fieldset: host + short: Type of host. + type: keyword + host.target.uptime: + dashed_name: host-target-uptime + description: Seconds the host has been up. + example: 1325 + flat_name: host.target.uptime + level: extended + name: uptime + normalize: [] + original_fieldset: host + short: Seconds the host has been up. + type: long host.type: dashed_name: host-type description: 'Type of host. @@ -10075,7 +10905,15 @@ host: - host.geo - host.os - host.risk + - host.target prefix: host. + reusable: + expected: + - as: target + at: host + full: host.target + short_override: Targeted host of action taken. + top_level: true reused_here: - full: host.entity schema_name: entity @@ -10089,6 +10927,9 @@ host: - full: host.risk schema_name: risk short: Fields for describing risk score and level. + - full: host.target + schema_name: host + short: Targeted host of action taken. short: Fields describing the relevant computing instance. title: Host type: group diff --git a/generated/elasticsearch/composable/component/host.json b/generated/elasticsearch/composable/component/host.json index 7f71a4089..7ed83fb22 100644 --- a/generated/elasticsearch/composable/component/host.json +++ b/generated/elasticsearch/composable/component/host.json @@ -271,6 +271,280 @@ } } }, + "target": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "boot": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cpu": { + "properties": { + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "entity": { + "properties": { + "attributes": { + "type": "object" + }, + "behavior": { + "type": "object" + }, + "display_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_seen_timestamp": { + "type": "date" + }, + "lifecycle": { + "type": "object" + }, + "metrics": { + "type": "object" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "raw": { + "type": "object" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "source": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "synthetic_source_keep": "none", + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + } + } + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pid_ns_ino": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + } + } + }, "type": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json index a0acf841a..af2b868e9 100644 --- a/generated/elasticsearch/legacy/template.json +++ b/generated/elasticsearch/legacy/template.json @@ -2667,6 +2667,280 @@ } } }, + "target": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "boot": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cpu": { + "properties": { + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "entity": { + "properties": { + "attributes": { + "type": "object" + }, + "behavior": { + "type": "object" + }, + "display_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_seen_timestamp": { + "type": "date" + }, + "lifecycle": { + "type": "object" + }, + "metrics": { + "type": "object" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "raw": { + "type": "object" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "source": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "synthetic_source_keep": "none", + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + } + } + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pid_ns_ino": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + } + } + }, "type": { "ignore_above": 1024, "type": "keyword" diff --git a/schemas/host.yml b/schemas/host.yml index 2782b569c..2d33b05b7 100644 --- a/schemas/host.yml +++ b/schemas/host.yml @@ -25,6 +25,12 @@ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. + reusable: + top_level: true + expected: + - at: host + as: target + short_override: Targeted host of action taken. type: group fields: - name: hostname