From 07f5f9f7a6548807de809ef58939751568856631 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=B4mulo=20Farias?= Date: Wed, 14 Aug 2024 13:54:07 +0200 Subject: [PATCH 1/4] Add `related.entity` field --- schemas/related.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/schemas/related.yml b/schemas/related.yml index b052fa3c00..a7631a1f63 100644 --- a/schemas/related.yml +++ b/schemas/related.yml @@ -70,3 +70,15 @@ identifiers include FQDNs, domain names, workstation names, or aliases. normalize: - array + + - name: entity + level: extended + type: keyword + short: All the entity identifiers + description: > + All the entity identifiers related to the document. If the document + contains multiple entities, identifiers belonging to different entities + will be present. Example identifiers include Cloud Resource Ids, ARNs, email + addresses, or hostnames. + normalize: + - array \ No newline at end of file From 31ddf2433d67d2a55c2cd4a3cca93e5f44d7211d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=B4mulo=20Farias?= Date: Wed, 14 Aug 2024 14:52:30 +0200 Subject: [PATCH 2/4] Add generated files --- docs/fields/field-details.asciidoc | 19 +++++++++++++++++++ experimental/generated/beats/fields.ecs.yml | 9 +++++++++ experimental/generated/csv/fields.csv | 1 + experimental/generated/ecs/ecs_flat.yml | 14 ++++++++++++++ experimental/generated/ecs/ecs_nested.yml | 14 ++++++++++++++ .../composable/component/related.json | 4 ++++ .../elasticsearch/legacy/template.json | 4 ++++ generated/beats/fields.ecs.yml | 9 +++++++++ generated/csv/fields.csv | 1 + generated/ecs/ecs_flat.yml | 14 ++++++++++++++ generated/ecs/ecs_nested.yml | 14 ++++++++++++++ .../composable/component/related.json | 4 ++++ generated/elasticsearch/legacy/template.json | 4 ++++ 13 files changed, 111 insertions(+) diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc index f2259fb87e..046a102c46 100644 --- a/docs/fields/field-details.asciidoc +++ b/docs/fields/field-details.asciidoc @@ -9124,6 +9124,25 @@ A concrete example is IP addresses, which can be under host, observer, source, d // =============================================================== +| +[[field-related-entity]] +<> + +a| All the entity identifiers related to the document. If the document contains multiple entities, identifiers belonging to different entities will be present. Example identifiers include Cloud Resource Ids, ARNs, email addresses, or hostnames. + +type: keyword + + +Note: this field should contain an array of values. + + + + + +| extended + +// =============================================================== + | [[field-related-hash]] <> diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 625206235f..46ef83358f 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -7938,6 +7938,15 @@ type: group default_field: true fields: + - name: entity + level: extended + type: keyword + ignore_above: 1024 + description: All the entity identifiers related to the document. If the document + contains multiple entities, identifiers belonging to different entities will + be present. Example identifiers include Cloud Resource Ids, ARNs, email addresses, + or hostnames. + default_field: false - name: hash level: extended type: keyword diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index 85f24dce13..c3e41bd7f7 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -1026,6 +1026,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev+exp,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. 8.12.0-dev+exp,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" 8.12.0-dev+exp,true,registry,registry.value,keyword,core,,Debugger,Name of the value written. +8.12.0-dev+exp,true,related,related.entity,keyword,extended,array,,All the entity identifiers 8.12.0-dev+exp,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event. 8.12.0-dev+exp,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event. 8.12.0-dev+exp,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event. diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 6e09b7f52f..a3719c692b 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -12929,6 +12929,20 @@ registry.value: normalize: [] short: Name of the value written. type: keyword +related.entity: + dashed_name: related-entity + description: All the entity identifiers related to the document. If the document + contains multiple entities, identifiers belonging to different entities will be + present. Example identifiers include Cloud Resource Ids, ARNs, email addresses, + or hostnames. + flat_name: related.entity + ignore_above: 1024 + level: extended + name: entity + normalize: + - array + short: All the entity identifiers + type: keyword related.hash: dashed_name: related-hash description: All the hashes seen on your event. Populating this field, then using diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 1f7f9648b7..e6f6aeb42f 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -15395,6 +15395,20 @@ related: `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`.' fields: + related.entity: + dashed_name: related-entity + description: All the entity identifiers related to the document. If the document + contains multiple entities, identifiers belonging to different entities will + be present. Example identifiers include Cloud Resource Ids, ARNs, email addresses, + or hostnames. + flat_name: related.entity + ignore_above: 1024 + level: extended + name: entity + normalize: + - array + short: All the entity identifiers + type: keyword related.hash: dashed_name: related-hash description: All the hashes seen on your event. Populating this field, then diff --git a/experimental/generated/elasticsearch/composable/component/related.json b/experimental/generated/elasticsearch/composable/component/related.json index 529fa9a356..2430ad0b2c 100644 --- a/experimental/generated/elasticsearch/composable/component/related.json +++ b/experimental/generated/elasticsearch/composable/component/related.json @@ -8,6 +8,10 @@ "properties": { "related": { "properties": { + "entity": { + "ignore_above": 1024, + "type": "keyword" + }, "hash": { "ignore_above": 1024, "type": "keyword" diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json index 6b9172fe34..459afd6a1a 100644 --- a/experimental/generated/elasticsearch/legacy/template.json +++ b/experimental/generated/elasticsearch/legacy/template.json @@ -4680,6 +4680,10 @@ }, "related": { "properties": { + "entity": { + "ignore_above": 1024, + "type": "keyword" + }, "hash": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 77f9536d95..9f687ba5dc 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -7888,6 +7888,15 @@ type: group default_field: true fields: + - name: entity + level: extended + type: keyword + ignore_above: 1024 + description: All the entity identifiers related to the document. If the document + contains multiple entities, identifiers belonging to different entities will + be present. Example identifiers include Cloud Resource Ids, ARNs, email addresses, + or hostnames. + default_field: false - name: hash level: extended type: keyword diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index a7210ad73b..71c0f4300c 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -1019,6 +1019,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. 8.12.0-dev,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" 8.12.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written. +8.12.0-dev,true,related,related.entity,keyword,extended,array,,All the entity identifiers 8.12.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event. 8.12.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event. 8.12.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 7e504589db..8f404588b0 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -12860,6 +12860,20 @@ registry.value: normalize: [] short: Name of the value written. type: keyword +related.entity: + dashed_name: related-entity + description: All the entity identifiers related to the document. If the document + contains multiple entities, identifiers belonging to different entities will be + present. Example identifiers include Cloud Resource Ids, ARNs, email addresses, + or hostnames. + flat_name: related.entity + ignore_above: 1024 + level: extended + name: entity + normalize: + - array + short: All the entity identifiers + type: keyword related.hash: dashed_name: related-hash description: All the hashes seen on your event. Populating this field, then using diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index b08955b69b..7c86180488 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -15315,6 +15315,20 @@ related: `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`.' fields: + related.entity: + dashed_name: related-entity + description: All the entity identifiers related to the document. If the document + contains multiple entities, identifiers belonging to different entities will + be present. Example identifiers include Cloud Resource Ids, ARNs, email addresses, + or hostnames. + flat_name: related.entity + ignore_above: 1024 + level: extended + name: entity + normalize: + - array + short: All the entity identifiers + type: keyword related.hash: dashed_name: related-hash description: All the hashes seen on your event. Populating this field, then diff --git a/generated/elasticsearch/composable/component/related.json b/generated/elasticsearch/composable/component/related.json index cac093b662..5dc640a08f 100644 --- a/generated/elasticsearch/composable/component/related.json +++ b/generated/elasticsearch/composable/component/related.json @@ -8,6 +8,10 @@ "properties": { "related": { "properties": { + "entity": { + "ignore_above": 1024, + "type": "keyword" + }, "hash": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json index 6725cae44d..bb5462b644 100644 --- a/generated/elasticsearch/legacy/template.json +++ b/generated/elasticsearch/legacy/template.json @@ -4638,6 +4638,10 @@ }, "related": { "properties": { + "entity": { + "ignore_above": 1024, + "type": "keyword" + }, "hash": { "ignore_above": 1024, "type": "keyword" From 8cc868c61c15ed043bd6ec1fcc89966ab12dd881 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=B4mulo=20Farias?= Date: Wed, 14 Aug 2024 15:14:53 +0200 Subject: [PATCH 3/4] Update changelog --- CHANGELOG.next.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 9613fb89e6..7beb417867 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -22,6 +22,7 @@ Thanks, you're awesome :-) --> * Advanced `process.io` and `process.tty` fields to GA. #2317 * Added `threat.indicator.id`. #2324 * Added `process.group` to generated schemas. #2335 +* Added `related.entity` field #2360 #### Improvements From 8fb8324fd2a31cc71cb472afc6bd749dbe57165c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=B4mulo=20Farias?= Date: Thu, 19 Sep 2024 14:36:45 +0200 Subject: [PATCH 4/4] Change case of cloud resource IDs --- docs/fields/field-details.asciidoc | 2 +- experimental/generated/beats/fields.ecs.yml | 2 +- experimental/generated/ecs/ecs_flat.yml | 2 +- experimental/generated/ecs/ecs_nested.yml | 2 +- generated/beats/fields.ecs.yml | 2 +- generated/ecs/ecs_flat.yml | 2 +- generated/ecs/ecs_nested.yml | 2 +- schemas/related.yml | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc index 046a102c46..eb2539b58c 100644 --- a/docs/fields/field-details.asciidoc +++ b/docs/fields/field-details.asciidoc @@ -9128,7 +9128,7 @@ A concrete example is IP addresses, which can be under host, observer, source, d [[field-related-entity]] <> -a| All the entity identifiers related to the document. If the document contains multiple entities, identifiers belonging to different entities will be present. Example identifiers include Cloud Resource Ids, ARNs, email addresses, or hostnames. +a| All the entity identifiers related to the document. If the document contains multiple entities, identifiers belonging to different entities will be present. Example identifiers include cloud resource IDs, ARNs, email addresses, or hostnames. type: keyword diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 46ef83358f..3f1ce4ce93 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -7944,7 +7944,7 @@ ignore_above: 1024 description: All the entity identifiers related to the document. If the document contains multiple entities, identifiers belonging to different entities will - be present. Example identifiers include Cloud Resource Ids, ARNs, email addresses, + be present. Example identifiers include cloud resource IDs, ARNs, email addresses, or hostnames. default_field: false - name: hash diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index a3719c692b..1aecb01166 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -12933,7 +12933,7 @@ related.entity: dashed_name: related-entity description: All the entity identifiers related to the document. If the document contains multiple entities, identifiers belonging to different entities will be - present. Example identifiers include Cloud Resource Ids, ARNs, email addresses, + present. Example identifiers include cloud resource IDs, ARNs, email addresses, or hostnames. flat_name: related.entity ignore_above: 1024 diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index e6f6aeb42f..a04ec92aec 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -15399,7 +15399,7 @@ related: dashed_name: related-entity description: All the entity identifiers related to the document. If the document contains multiple entities, identifiers belonging to different entities will - be present. Example identifiers include Cloud Resource Ids, ARNs, email addresses, + be present. Example identifiers include cloud resource IDs, ARNs, email addresses, or hostnames. flat_name: related.entity ignore_above: 1024 diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 9f687ba5dc..9e8fb0a70d 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -7894,7 +7894,7 @@ ignore_above: 1024 description: All the entity identifiers related to the document. If the document contains multiple entities, identifiers belonging to different entities will - be present. Example identifiers include Cloud Resource Ids, ARNs, email addresses, + be present. Example identifiers include cloud resource IDs, ARNs, email addresses, or hostnames. default_field: false - name: hash diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 8f404588b0..9431bf26e7 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -12864,7 +12864,7 @@ related.entity: dashed_name: related-entity description: All the entity identifiers related to the document. If the document contains multiple entities, identifiers belonging to different entities will be - present. Example identifiers include Cloud Resource Ids, ARNs, email addresses, + present. Example identifiers include cloud resource IDs, ARNs, email addresses, or hostnames. flat_name: related.entity ignore_above: 1024 diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 7c86180488..a4470668e4 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -15319,7 +15319,7 @@ related: dashed_name: related-entity description: All the entity identifiers related to the document. If the document contains multiple entities, identifiers belonging to different entities will - be present. Example identifiers include Cloud Resource Ids, ARNs, email addresses, + be present. Example identifiers include cloud resource IDs, ARNs, email addresses, or hostnames. flat_name: related.entity ignore_above: 1024 diff --git a/schemas/related.yml b/schemas/related.yml index a7631a1f63..ae4dd54e03 100644 --- a/schemas/related.yml +++ b/schemas/related.yml @@ -78,7 +78,7 @@ description: > All the entity identifiers related to the document. If the document contains multiple entities, identifiers belonging to different entities - will be present. Example identifiers include Cloud Resource Ids, ARNs, email + will be present. Example identifiers include cloud resource IDs, ARNs, email addresses, or hostnames. normalize: - array \ No newline at end of file